[TriLUG] Privileges and Social Engineering

Jeff Tickle jtickle at jtsoft.net
Tue Jun 15 22:26:19 EDT 2004


> Sorry for the delay in replying, but I've been away from the keyboard.  I was thinking of password guessing, yes.  As a little more explanation of my thinking, I had in mind an ordinary person, inexperienced with Linux, the sort of person who selects their birthday / spouse's name, or the like for their login password.  The original post, IIRC, spoke of such an inexperienced user.

Good call.  I didn't even think of that... you're right, the average
user wouldn't even bother trying to change "ilovejennie" to
"!10v3J3|\||\|!3".

Oh well.  So for average-user systems, disabling root login altogether
is a good deal... and then you have to su.  Still not exactly secure but
at least it's not just sticking a sign out front begging for a hacking.

> Disabling root login makes password guessing more difficult, since if root login is disabled, then the bad guy needs to not only guess a password, but guess the password of a user in the group permitted to su.
> 
> About secure passwords, I've seen warnings when a dictionary entry is selected as a password (Mandrake again?), but the warning doesn't prevent the user selecting the dictionary entry as a password. 
-- 
Jeff Tickle <jtickle at jtsoft.net>
JTSoft.net




More information about the TriLUG mailing list