On 5/24/05, Richard Hoffbeck <rwh at visi.com> wrote:
> Jima wrote:
> 
> >On Tue, 24 May 2005, steve ulrich wrote:
> >
> >
> >>hmm - i have the same password on possibly thousands of boxes.  i'll
> >>have to get the NIS+ admins on that pronto.
> >>
> >>
> >
> > And if someone managed to get root on one of those NIS+-managed machines,
> >they'd be able to get to your encrypted password, right?  Right?
> > Slightly different subject, IMO.
> >
> >     Jima
> >
> >
> I think its pretty easy to argue that passwords, at least passwords
> alone, are an idea whose time has come and gone. I've recently gone
> through a bunch of the various password checkers, PAM modules, etc. and
> it certainly appears that they impose sufficient restrictions on what
> constitutes an acceptable password that they actually make the resulting
> passwords more vulnerable to brute force attacks. If you look at the
> reduced keyspace that comes from requiring specific character classes,
> the elimination any passwords that contain character strings of 3
> characters or more that appear in any of the specified dictionaries, and
> just the psychology of memory it seems like you should be able to build
> a smart password cracker to exploit those enforced weaknesses - maybe a
> project for the summer :-)

Now that we are not on the same topic anymore- The whole idea behind
Kerberos solves both the original problem and the one stated above. 
Simply put, your password never goes accross the network, and you can
log into any system in your realm by logging in once (single sign-on).
 Yes, it is much more complicated to set up, but if you are managing
400+ systems, you likely have a complicated infrastructure in place
already.  Of course, migrating to kerberos after you have 400+ systems
set up is non-trivial.  Its easier to start from the ground up on that
one.

Jay



-- 
Jay Kline
http://www.slushpupie.com/