[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] security with switch to CVS/Savannah

From: Leonard H. Tower Jr.
Subject: [Savannah-hackers] security with switch to CVS/Savannah
Date: Thu, 1 Mar 2001 21:47:01 -0500 (EST)

Hi all,

Loic told me as part of getting into Savannah for

   Use your kerberos account + password and then change the Savannah
   password (done this way to prevent someone from stealing your

And when I asked him why:

   Because it's stored encrypted and vulnerable to a dictionary
   cracker.  benito is very protected, subversions is not so protected
   and the chances that someone can see your password encrypted and
   run it thru a cracker are higher.

   It's not stricly necessary to use a different password. It just
   offers a better security.

Do you all really feel that users need to do this additional hair?

That is, that cracker and vandal access to the Savannah system will
cause the FSF significant grief?

If yes, then trusting all users to do the right thing is a security
risk in and of itself.  Even a group of hackers.

If yes, you should also be:
        * running all the passwd cracking programs against Savannah's
encrypted passwd database.
        * advising all Savannah users how to choose a passwd that
can't be dictionary cracked (which is why tami is Cc:ed - I believe
she has docs around on how to choose uncrackable passwds)
        * set up the Savannah registration page
``'' and procedure, so it
only accepts passwds that can't be dictionary cracked.  This has the
side effect with Kerberos principals of detecting poorly choosen
passwds (unless devnull set all that up Kerberos this way already).

best -len

reply via email to

[Prev in Thread] Current Thread [Next in Thread]