[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] security with switch to CVS/Savannah
|
From: |
Leonard H. Tower Jr. |
|
Subject: |
[Savannah-hackers] security with switch to CVS/Savannah |
|
Date: |
Thu, 1 Mar 2001 21:47:01 -0500 (EST) |
Hi all,
Loic told me as part of getting into Savannah for www.gnu.org:
Use your kerberos account + password and then change the Savannah
password (done this way to prevent someone from stealing your
account).
And when I asked him why:
Because it's stored encrypted and vulnerable to a dictionary
cracker. benito is very protected, subversions is not so protected
and the chances that someone can see your password encrypted and
run it thru a cracker are higher.
It's not stricly necessary to use a different password. It just
offers a better security.
Do you all really feel that users need to do this additional hair?
That is, that cracker and vandal access to the Savannah system will
cause the FSF significant grief?
If yes, then trusting all users to do the right thing is a security
risk in and of itself. Even a group of hackers.
If yes, you should also be:
* running all the passwd cracking programs against Savannah's
encrypted passwd database.
* advising all Savannah users how to choose a passwd that
can't be dictionary cracked (which is why tami is Cc:ed - I believe
she has docs around on how to choose uncrackable passwds)
* set up the Savannah registration page
``https://savannah.gnu.org/account/register.php'' and procedure, so it
only accepts passwds that can't be dictionary cracked. This has the
side effect with Kerberos principals of detecting poorly choosen
passwds (unless devnull set all that up Kerberos this way already).
best -len
- [Savannah-hackers] security with switch to CVS/Savannah,
Leonard H. Tower Jr. <=