[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Many passwords



On Wed, 7 Feb 2001, Dan Weinreb wrote:

-   Date: Wed, 7 Feb 2001 18:32:03 -0500
-   From: Peter W <peterw@usa.net>
-
-   If all the hosts can talk to the LDAP server, then wouldn't you want to use
-   the same password for all of them? Isn't that one of the selling points of
-   stuff like NIS/NDS/ActiveDirectory/LDAP?
-
-You might not have a choice.  On some systems the administrators make
-up the passwords, and you can't change your own password.  (Usually
-the theory here is that if allowed, you'll change your password to
-something easy and obvious to guess.)

Valid theory.  Given the opportunity, people pick poor passwords.
They often _think_ their passwords are good, but they aren't.
Password crackers are pretty sophisticated these days and are very
good at finding common variations on dictionary words, dates, and
names.  In tests I ran a year or so ago for a former employer, I
cracked about half the UNIX and NT passwords using just variations on
user information and a small list of common passwords.  Took less than
30 seconds.  These users really believed they were being clever using
common script kiddie substitutions like o->0, s->5, etc or using
(ahem!) four letter anglo-saxonisms in their passwords.  You might be
surprised at the number of people who think they are the first to
think of using f**k or s**t in a password.

-Or, perhaps there's one host that has excellent security, on which you
-store valuable secrets, and there's another host with mediocre
-security, from which passwords could more easily be stolen.  If you
-use the same password, the bad guys can crack the less-secure
-computer, and then log in as you on the more-secure computer.

Too true.  For example, because of the LANMAN hash used for
compatibility with Win 9X, NT passwords are notoriously easy to crack
by brute force.  In fact any good high end desktop machine can exhaust
the name space using John the Ripper on Linux in about 30 days.

However, if there is a need for multiple passwords, couldn't LDAP
store them under different trees (or whatever you call them) so there
would be a uid=joedoe,ou=people password, and a uid=joedoe,ou=secure
password.  Can LDAP do this?

--
-- Stephen Carville <stephen.carvile@trw.com>
   TRW Systems Information and Technology Group
   +1 310 764-3228
   DH4/1447