Naked

Reports the website, MySQL.com, was compromised by the simplest of attacks is shocking. The site has been owned by Oracle. What adds to the horror is that some VIPs who had accounts on the site used trivial passwords. Fortunately they did not post mine and I had forgotten it anyway…

In the 21st century is there anyone besides my wife who thinks passwords should be trivial??? Who still uses the same password on multiple sites? Who still uses short memorable passwords? If you do, it’s passed the time when you need your own little database of strong passwords. There are many applications that include that and a password generator.

e.g. In the repositories of Debian GNU/Linux, apt-cache search password |grep manager finds:

  • cpm – Curses based password manager using PGP-encryption
  • gringotts – secure password and data storage manager
  • kwalletmanager – secure password wallet manager
  • keychain – key manager for OpenSSH
  • mypasswordsafe – Easy-to-use password manager
  • password-gorilla – a cross-platform password manager
  • pwsafe – command line encrypted password database manager
  • revelation – GNOME2 Password manager
  • revelation – GNOME2 Password manager
  • trac-accountmanager – account management plugin for Trac
  • zsafe – Password manager with encryption
  • fpm2 – a password manager with GTK+ 2.x GUI
  • gpass – The password manager for GNOME2

Of course, there is still Post-It Notes… but it is very hard to type a good password. They should be long and strong and not easily typed. Copy and paste from a password manager is much easier although a bit less secure. With all the accounts one has these days on the web and computer systems, it also is a great idea to have a backup of the database. FLOSS makes that easy and many of the password managers have backup as a feature.

This is another example of how useful Debian GNU/Linux is. There are multiple choices for many important tasks in the 30K packages in the repository.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

6 Responses to Naked

  1. In Debian GNU/Linux the passwords are not stored at all, just a hash of the password is stored in /etc/shadow
    grep pogson /etc/shadow
    grep: /etc/shadow: Permission denied
    pogson@nb:~$ su
    Password:
    root@nb:/home/pogson# grep pogson /etc/shadow
    pogson:gibberishgibberishgibberishgibberishgibberish…:14853:0:99999:7:::
    root@nb:/home/pogson#

    The hash is an MD5 sum of the password and is not easily reversible even if the attacker could get it. On my system, the attacker would need root access to get it or would need control of the hard drive. Once in as root, the attacker can be me without a password:
    su pogson.

    With openSSH we can also be passwordless and the client exchanges a key with “known” hosts. It’s all about layers. More is better but it defeats the purpose of IT for us to suffer time and wasted energy to login. We could use simple passwords to login to our normal accounts but access the network with a passwordless login as openSSH does it.

  2. Ray says:

    @Bender
    Truecrypt solves everything.

    If you’re looking for a tough password, there is passwordcard. even if you lose it, the person who finds it can’t use it for your passwords. 😀

  3. Bender says:

    @Mats Hagglund

    I believe it is because of keyboard settings or something like that. Actually on *NIXes passwords are FAR MORE safer than on that other OS. Your passwords are stored in a /etc/passwd file, sorry, these are not passwords but hashes (the stronger the encryption algorithm the stronger the password) AND to that you have “salts”. So in order to crack the password an attacker would have to use dictionary based attack (it will get cracked if your password is too simple), other way is to use rainbow tables (“ready made” hashes) but in this case you’d need a rainbow table for EVERY salt and that takes GB of data per rainbow and then you have the brute force attack in which case all cons above apply.

  4. Mats Hagglund says:

    I’ve to addmit that i use terrible trivial passwords also but i’m not the only one. Not long time ago server of Helsinki University was compromised and again the reason was trivial passwords (and long period use).

    There might be one treat for Linux administrators – illusion (delusion) of safety. But that’s not all. I’ve noticed in early 1990’s that in some causes special characters (e.g ½%¤>@£{ etc…) didn’t work even with Unix-systems. Even the guy from helpdesk was amazing why UNIX didn’t accept it. It’s still amazing to find that you can’t choose during installation of Open SUSE 11.4. I had to use trivial one. After installation i changed it to something like #/()))=//& with terminal. Tested it – fine. Then came updates – and they didn’t work. Perhaps the reason is my keyboard and language (=not english). In Mint, Ubuntu, Fedora you can do it but not in SUSE 11.4.

    So when we critisize trivial passwords there are sometimes several reason why we sometimes have to use them.

  5. Good point. The hackers can take over routers and sniff stuff or they can compromise the servers and watch the communication with web applications. Layers of security are required. Strong passwords are just one of several that are required. It used to be that https was not used because the CPU-time expended on encrytion/decryption was a severe burden and the cost of certificates is an issue for some but it has become a habit to use plain http.

  6. Bender says:

    There is no point in using strong passwords at services which do not use https. Any password no matter how strong could easily be sniffed and used against the user. Strong passwords are essential though on services that have our personal data or are essential to us. Of course passwords managers are useful but they will still let the browser send the password in plain text (dependent on the website), so they are a solution for a local password safety not online password safety that depends on the website.

    I personally just use one password for useless services and strong passwords for essential ones. This way i will still remember all my passwords in case my passwords manager fails 🙂

Leave a Reply