trojan problem (password protection)
Billy Verreynne (JW)
VerreyB at telkom.co.za
Fri Jan 27 11:02:46 UTC 2006
Jeremiah Foster wrote:
> There is some debate about your last statement.
> Some people say you should write your difficult
> password down. It makes it more likely you will
> use a good one that is hard or impossible to
> remember.
I recall how well a mainframe sysadmin secured the system - including
have a good password policy access controls and so on.
All of which was negated by senior developers having the passwords for
the main development and production accounts written on sticky notes
stuck to their cubicles' partitions.
To prove a point I used it to create a trojan that the sysadmin ran
(thinking the accounts were secured) and I gain root access (the root
account was called tsos) that way in a few hours.
My take on it is that complex passwords offer no more protection than
less complex passwords. If someone goes to the lengths of a brute
force attack, the password will be cracked. It is just a question of
when and not if.
So select a password that is easy enough to remember and cannot be
easily guessed via social engineering methods. And -never- write that
password down anywhere, except as a mental one written in nice, large
and friendly letters.
--
Billy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail and its contents are subject to the Telkom SA Limited
e-mail legal notice available at
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the ubuntu-users
mailing list