hacked - looking for doc/suggestions on hardening/securing systems from the start

Tim ignored_mailbox at yahoo.com.au
Thu Dec 19 17:16:13 UTC 2013


Allegedly, on or about 18 December 2013, Rick Stevens sent:
> 3. Make sure you enforce complex passwords and require them to be
> rotated at least every 90 days. 

I take issue with the continually changing passwords idea.

If you get hacked, changing the password after the event is too late.
And if they installed a backdoor, changing your password will be
completely pointless.

If you haven't been hacked, you're just making life harder for yourself,
trying to remember all these passwords.  Or making things less secure,
because you have to write them down.

A reasonably good password can't be guessed, or likely to be got at by a
dictionary attack without attracting attention.  i.e. Even if my
password was simply just the word, "red," how many guesses, out of all
the possible words in a dictionary, would it take to guess it?  You
can't partially crack it, like in the movies where they show that three
letters in a password have been correctly guessed, it's complete
pass/fail.  Trying to find the right password has just got to be
detectable.  And the chances of someone guessing that my password might
be "purplepolkadotsonmydog" are next to infinitely impossible.  You'd
have to guess what words, and in what order.  Of course, completely
stupid passwords ("password", "remember", the username logon repeated as
the password) might be guessed in the first few attempts, as the first
attack words on the list to try.

You really need something that detects attempt to crack passwords,
responds appropriately to thwart the attacks while they happen, and
immediately notifies you that an attempt is happening as it happens
(e.g. email to a separate system), so you know to check, and the
notification isn't stored on somewhere that will be deleted during the
attack.

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.





More information about the users mailing list