[somewhat OT] Re: [TriLUG] Linux Lab

Tom 'spot' Callaway tcallawa at redhat.com
Mon Nov 4 21:03:17 EST 2002


On 4 Nov 2002, Elliot Peele wrote:

> Let me rephrase that....Use there SS# as there initial password and let
> them change it. NC Sate still uses SSNS as initial password for all
> incoming students, staff, and faculty. 

Its a shoddy policy, unless they're forced to change password immediately.
SSNs are relatively trivial to come by, especially when they are used as 
identifiers in a college environment where students work and live.

Once, while I was a student at NCSU, a friend asked me to go to the 
records office to pick up some sorority paperwork for her, since she 
wasn't done with her project (due that day), so I did. They never carded 
me, or asked me who I was. I simply asked for the paperwork for the 
sorority (no specifics, just like that), and they handed me a lengthy 
printout. It contained the names, addresses, phone numbers, and SSNs of 
all the people who had signed up to rush for that sorority.

100 freshmen SSNs may seem like immaterial, but not if they are passwords.
Makes for a nasty ddos.

IMHO, a far better method would be to assign random passwords to users, 
then give the passwords to them in person. It is by no means a foolproof 
system, but it is a far less obvious one.

~spot
---
Tom "spot" Callaway <tcallawa(a)redhat*com> Red Hat Sales Engineer
Sair Linux and GNU Certified Administrator (LCA)
Red Hat Certified Engineer (RHCE)
GPG: D786 8B22 D9DB 1F8B 4AB7  448E 3C5E 99AD 9305 4260

The words and opinions reflected in this message do not necessarily
reflect those of my employer, Red Hat, and belong solely to me.

"Immature poets borrow, mature poets steal." --- T. S. Eliot




More information about the TriLUG mailing list