6 Comments

  2. Little late with this reply… I used a not-very-common but dictionary based root password for a system running Debian Sarge (or was it Woody?) which had a ssh daemon listening with root login enabled (something that should never be done, you should always log in ssh as a user and su to root if necessary, or better yet use sudo like OS X or other systems like Ubuntu that picked that up… 🙂 ) anyhow, to make a long story short, I was rootkitted three ways to sunday after someone cracked my password via brute force, simply because I used a word that was in the dictionary and didn’t use a program to lock out people trying to do that also. So, moral of the story is, never use a dictionary word, or anything involving one directly, as a password. Not even something “clever”, because someone running passwords through a 15,000+ word dictionary and a distributed password crack attack remotely, or a passwd file scan locally, will find it. (Though better operating systems use shadow passwords now which puts a slight crimp in that…)

  3. I hadn’t heard of “shadow passwords” before, so I looked it up. I found an old article that explained them. How old? Well, this quote should give you a good idea:

    […] Since a 4GB hard drive can be had for under $1000.00, this is well within the means of most system crackers. […]

    🙂

  4. Some *nix operating systems, including Linux, didn’t have shadow passwords when other Unixes did; and even when Linux did it was not the default out of the box on many systems because whoever configured the distro wanted it to be “easy to maintain”. It was long enough ago to be within my memory.

Comments are closed.