Security of using sudo rather than su?
Adam Funk
a24061 at yahoo.com
Fri Sep 15 13:22:35 UTC 2006
On 2006-09-14, Tony Arnold <tony.arnold at manchester.ac.uk> wrote:
> But then there is the human element, as always! The stricter the policy,
> the more likely it is that users will forget their passwords thus
> potentially creating more calls to the support desks, or will write them
> on a Post-It (tm) note and stick it on their monitor. So one has to have
> the right balance to manage these issues.
I heard part of a funny skit on the radio (BBC Radio 4, I think) a few
years ago, in which the IT technician assured someone that
"I've upgraded everything on your computer and added military-grade
encryption, so it will be *totally* secure for the next 15 minutes."
"Why 15 minutes?"
"That's when you'll write the password on a Post-It note and stick it
under your desk." [Post-It is of course a trademark of 3M. -Ed.]
> The idea of changing passwords on a regular basis was apparently based
> on how long it would take to crack a password using brute force
> techniques. Unfortunately, it appears that some of the recommendations
> are based on crack time of twenty years ago, when the time needed was
> several months. With modern technology, the times are down to under an
> hour, so to beat that, we would have to change our passwords every 30
> minutes or so!
I'm sure I've read that frequent password rotation has a much worse
effect (on what users do) than requiring strong passwords, but I can't
find it now. (I thought it was on The Register.)
More information about the ubuntu-users
mailing list