Re: Secure passwords?
From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 06/19/03
- Next message: Steven L Umbach: "Re: NTFS file owners gone"
- Previous message: Steven L Umbach: "Re: Admin account password problems"
- In reply to: Invisible: "Secure passwords?"
- Next in thread: Invisible: "Re: Secure passwords?"
- Reply: Invisible: "Re: Secure passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jun 2003 05:39:02 GMT
Looks like a good password to me. The problem is to have good
passwords on ALL administator accounts and control them well, and never use
the same password for a local account as an domain account. An attacker
does not have to obtain the administrator account itself. Make sure that
the administrators use their accounts only when they have to or use runas
when necessary and if possible only on specific secured machines, and never
while on the internet . Consider using alt characters in passwords such as £
or ? . Physical security is of prime importance to protect passwords. If an
attacker can get physical access to a domain controller, then all bets are
off. Even though it is of debated use, consider renaming the administrator
account and create a "dummy" administrator account that you could monitor
for attacks. There are tools such as LC4 that can find out user passwords,
given enough time. --- Steve
http://www.atstake.com/research/lc/
"Invisible" <orphi69@hotmail.com> wrote in message
news:08f101c3357d$12de79a0$a601280a@phx.gbl...
> Simple question: would this be a good password?
>
> J0yW-9NeH-hRRB-NNrV-15Iq-Gm8y-Qwwn-IQFf
>
> Would it be better without the dashes? (Surely it makes no
> difference either way!) And no, it's not a product key or
> a serial number for anything; it's generated using the
> random-number generator in Excel, using a VB macro. (I
> have no idea what seeds this generator, but I doubt anyone
> will bother attempting to crack it.)
>
> The macro can include the characters a-z, A-Z, 0-9, # and
> *. Should I add more characters to this? Would I be better
> actually taking a real coin and physically tossing it 70-
> thousand times rather than using a psuedo-random number
> generator in a computer [that was probably only ment for
> statistical simulations, and designed for speed, not
> cryptographic strength]?
>
> Opinions?
>
> I want passwords for high-powered accounts that don't get
> used often. For example, I'm planning to never use the
> Administrator account; I'm going to create seperate
> accounts for all the people who need to do stuff, each
> with different passwords, so when we audit we know WHICH
> administrator did what. (And yes, these people will have
> seperate "normal" accounts too.)
>
> So since no-one will ever log in as Administrator itself,
> I thought it would be nice to give it a mile-long
> password. (I also plan to do it to that pesky Guest
> account you can't delete. And set both of them so you have
> to chance the password at first login!)
>
> Thanks.
>
> PS. How often do we change it?
>
> PPS. Can you find out what a user's password is? (In case
> they can't remember what they changed it to.) Or is that
> impossible? (Yes, I *know* you can just reset it and let
> them try again; I'm just curiose.)
>
- Next message: Steven L Umbach: "Re: NTFS file owners gone"
- Previous message: Steven L Umbach: "Re: Admin account password problems"
- In reply to: Invisible: "Secure passwords?"
- Next in thread: Invisible: "Re: Secure passwords?"
- Reply: Invisible: "Re: Secure passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
