dagmar at dsurreal.org
Fri Feb 9 11:09:01 PST 2001
On Wed, 7 Feb 2001, Seth David Schoen wrote:
> Rick Moen writes:
> > > If you had the chance to setup a valid password validator before the users
> > > showed up, you're fine, but in real life, you often have to check existing
> > > passwords.
> > Thus cracklib.
> So I think Marc's idea is "you inherit a site where nobody used cracklib
> before, or where there are passwords older than cracklib itself".
> The other good sysadmin response to this might be forcibly expiring
> everybody's password right away, but that only works if all users are
> still current regular users.
> So, you could expire all passwords and then lock the accounts of all users
> who don't log in within a week. This might be a reasonable substitute
> for running Crack or John the Ripper; the remaining case is where it's
> politically or logistically difficult to go the expiry route.
...in which case it's time to summon the dogs and go hunt down the policy
writers in the company and make them write a policy requiring password
expiry and limits. It seems like most places if you don't *start* by
getting upper management to make it a policy, you might as well not bother
trying to implement it. It's easier to get a policy revoked after you've
found a technical limitation that prevents it's enforcement than it is to
clean up a system after a human resource problem (i.e., dumb as a rock
luser using "sekrit" for a password) hands your system to a bunch of
teenage software couriers and porn afficionadoes.
More information about the svlug