Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!rphroy!cfctech!teemc!ka3ovk!barn!hoptoad!fidogate!f111.n125.z1.FIDONET.ORG!david.turrell From: david.turrell@f111.n125.z1.FIDONET.ORG (david turrell) Newsgroups: comp.org.eff.talk Subject: Re: stealing passwords is easy! Message-ID: <14906.28501E22@fidogate.FIDONET.ORG> Date: 7 Jun 91 02:44:23 GMT Sender: ufgate@fidogate.FIDONET.ORG (newsout1.26) Organization: FidoNet node 1:125/111 - Fido Software, San Francisco CA Lines: 35 On June 2, 1991, Patrick A. Townson writes: >A couple of sites I frequent [...] have offered to give me root privileges on >a 'need to use it' basis, to deal with a problem on line in the middle of the >night, etc ... but then some fraud/vandalism would occur and I would get >blamed! It's been stressed to me that even "root" should use his/her highest privilege as infrequently as possible, to reduce the possibility of an "virus" monitoring password entry and gaining root privileges itself. The ideal policy is for the superuser/sysop to log in at the lowest level possible which still allows for completion of any work that needs to be done. This advice was meant for large, shared systems, which is what PC's are becoming. >It cannot be stressed enough that passwords need to be >changed frequently, and be difficult to guess or force. I've gotten away without changing my passwords all that often, although I closely watch accounts where I pay *money*, which allows me to quickly detect abuses. I think the best part of your advice is about making passwords difficult to guess. Passwords made of random characters are too hard to memorize; but I would avoid using the word "wizard" and the names of characters in popular computer fantasy games and science fiction. I remember a WYLBUR system whose teletypes echoed the password. After typing a "mask" of G's on top of W's on top of M's. Then people left the printout lying around; didn't even bother to throw it away when they left. -David -- david turrell - via FidoNet node 1:125/777 UUCP: ...!uunet!hoptoad!fidogate!111!david.turrell INTERNET: david.turrell@f111.n125.z1.FIDONET.ORG