virulence of the recent virus


Stuart Cracraft (orion.cf.uci.edu!paris.ics.uci.edu!venera.isi.edu!cracraft@ucsd.edu)
5 Nov 88 17:07:50 GMT


Some brief tests have shown that the recent virus attack could
breach approximately 4.6% of passwords on a typical large-sized
Unix mainframe, revealing 10-20 passwords.

All of this once again exposes the weakest link of any password-based
security system: the passwords.

As a system maintainer, the two best things you can do to increase
your ability to sleep at night are:

        * enable password aging

        * enable complex passwords

The first of these tells Unix to occasionally require that the
user input a new password and confirm it, giving the old password to
assure he is authorized. If you enable aging, for example, once every
month or two, every user who logs into your system will be required
to specify a new password.

The second of these is the more useful, but both are needed in
conjunction to close a lot of holes in Unix. This particular one requires
that the user specify a password with complex characters in it,
either non-alphabetic, or numeric mixed with alphabetic and of
at least a certain length (10 characters seems like a good size).

Prior to this, the system maintainer can conduct an audit of the
system, looking for null password fields in /etc/passwd or using
Jim GIllogly's script (see earlier messages on this list) to
discover English language words already compromised by the
current attack (its candidate word list -- which will most surely
be in the hands of every small-fry youngster who sees the current
media-glory as a chance to gain new heights in his teenage years
by becoming a cracker). Hence, this list must always be checked
against.

Doing these three things (audit, aging, and complex) will greatly
increase the security of a system. Not all Unix's have the latter
two, but this is possible to implement.

        Stuart



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT