+ News & Updates
   + Skate
   + Punk/HXC
   + GNU/LinuX
   + WindowMaker
   + Linux Security101
   + Downloads
   + About Radcore
   + Friends
   + Links
   + Site Map
   + Contact


   + Independent Media Center
   + PunkVoter.com
   + The Register
   + Astalavista
   + Linux.com
   + Slashdot


   +  XMMS
   +  WINAMP
   +  MPlayer
   +  Bsplayer


   +  Waitallday
   + Jinx Record Shop
   + CannonBall666Records
   

   + None yet (Hope 2 have soon) 
   

Linux Security 101

newbie: passwords
date: 8.2.99

A guide to using and selecting secure passwords.

What is a 'password'?

Passwords are one form of user authentication. This means the system
relies on something you know to validate who is logging onto the server.
This works based on the idea of each user having a unique login, and
a secret password that only they know. Under this model, the system
verifies your password and knows it is truly you logging in.

The problem with this, is that the unix system assumes only you have
your password. It does not make provisions or understand that you
may not be the only one with your password. Some examples of why
you may not be the only one include: * Writing it down and losing the paper * Someone watching your keystrokes as you log in * A network intruder snooping your password via technical means * Someone guessing your password With that in mind, it is apparent that you need to have a secret password,that only you know, that can not be guessed.
Your administrator is responsible for the security of your system and helping prevent
network intruders from gaining your password. However, it is EVERYONE'S responsibility on the system. Why is my password so important?

Many people wonder why a single password is such a big deal.

What they often fail to realize is how intruders work, and where they start.
The following chain of events will hopefully help illustrate the severity
of a single password: John from accounting writes his password down near his workstation. Joe from engineering sees the password and writes it down for later. Late one night, Joe logs into the accounting machine using John's account and password. Using a well known exploit, Joe is able to gain 'root' priviledges on the accounting machine. With these privs,
Joe is able to view all files on the system including payroll, billing and more.
Using the illgotten privs, Joe sets up a network sniffer to monitor all traffic on the Local Area Network (LAN). Watching this traffic, Joe is able to view login names and
passwords to almost every machine on the network. Hundreds
of machines are compromised. Using a 'sniffed' login and password, Joe logs into one of
R&D's computers. Repeating the same steps, Joe is now able
to view traffic going from his company to and from a
research partner in Europe. The steps above represent the progression an attacker can make, all stemming from a single login and password. When using the unix system,
you must be mindful that your account can be a key to the kingdom.
To further illustrate the concern, here are a few other things an intruder may do with
your account alone: Use your account to break into other machines, leaving a trail
that points to YOU doing the crime. Use your account to annoy, harass and threaten other users on the internet.
Use your account to traffic in questionable or illegal material such as pornography or stolen software. Read your personal email and files. These elements alone should encourage
you to protect your account. If nothing else, you are covering your own ass ;)

 

Next>>