<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Could we put together some Real World suggestions / Best Practices,
at least for the very few that do care?<br>
I am sure that crackers would leave us mostly alone with some basic
precautions, as there are so many lower hanging fruit available all
over the place...<br>
<br>
That article in Wired was OK, but very thin about what to do better<br>
<br>
some suggestions: (please do correct me, especially when something
is dumb)<br>
<ul>
<li>Build SEVERAL sets of items, like "city born in *hopE of
redeMption 1952*", "Mother's maiden name *McJarowitzsson*" to
use in websites. OF COURSE different passwords, doh.<br>
<br>
</li>
<li>Set up at least one fake "personna", and a gmail or other
safe account to have password recovery point to. Keep access to
that account minimal and separate from all other (certainly do
not have it poit to your Thunderbird)<br>
<br>
</li>
<li>Keep such information as if it were cash or negotiable
securities, printed, not in hackable memory, and/or in encrypted
flash fobs or PGP encrypted stuff - redundancy is important, but
it is vital that one cracked password does not allow immediate
access to<i> </i><i>en clair</i> passwords<br>
</li>
</ul>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/07/2012 10:18 AM, Tim Young
wrote:<br>
</div>
<blockquote cite="mid:50C216DF.7060807@LightSys.org" type="cite">This
is often used when a virus or something hits your computer, grabs
the hashed password, and sends it off to someone.
<br>
<br>
In the Linux world, it is when someone grabs the password/shadow
files and takes them off-site.
<br>
<br>
I once managed a bunch of Unix computers (Sun, Dec, Linux, and
others) and had one that I was not monitoring. Somewhere along
the line I logged into it to find that a hacker had gotten into it
and was running password breaking tools on it. The hacker had
downloaded some 30 different password files and was hammering on
them one after the other. This was from a bunch of different
sites around the world that he had managed to snag the password
file from. Anyway. I have seen it in action. It works... (that
was before the shadow file needed root privs to be able to read.
It is easy to snag the whole password file if you use NIS on your
system.)
<br>
<br>
- Tim Young
<br>
<br>
On 12/7/2012 7:59 AM, <a class="moz-txt-link-abbreviated" href="mailto:dcolburn@bibleseven.com">dcolburn@bibleseven.com</a> wrote:
<br>
<blockquote type="cite">
<br>
BTW: I am not sure how this gets around a Try -3 then Wait
3-Hours
<br>
limit + a Warning when multiple attempts are made.
<br>
<br>
</blockquote>
<br>
<br>
_______________________________________________
<br>
ChristianSource FSLUG mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Christiansource@ofb.biz">Christiansource@ofb.biz</a>
<br>
<a class="moz-txt-link-freetext" href="http://cs.uninetsolutions.com">http://cs.uninetsolutions.com</a>
<br>
</blockquote>
<br>
</body>
</html>