[10289] in bugtraq
Re: Plain text passwords--necessary
daemon@ATHENA.MIT.EDU (Densin Roy.)
Tue Apr 20 14:14:50 1999
Date: Tue, 20 Apr 1999 04:59:21 +0700
Reply-To: "Densin Roy." <den@FTP.LOXINFO.CO.TH>
From: "Densin Roy." <den@FTP.LOXINFO.CO.TH>
X-To: Trevor Schroeder <tschroed@ACM.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSO.4.10.9904191259560.1035@duckdog.zweknu.org>
see
http://world.std.com/~dpj
On Mon, 19 Apr 1999, Trevor Schroeder wrote:
> (Here's hoping this makes it past the censor ;)
>
> On Fri, 16 Apr 1999, Aleph One wrote:
>
> > Lots of replies to this message but they all failed to really answer
> > the questions raised by the original post.
>
> It seems to me that a lot of this could be avoided using tickets similar to
> Kerberos. We have a trusted third party (TTP) that receives your
> credentials once and returns a ticket for a set of services with a given
> lifetime. This ticket is good only within a certain context (certain
> services, servers, clients, times, dates, you name it and it can be rolled
> into the ticket). That way if the ticket is compromised, it is of limited
> use (versus a full blown password with may be useful in other contexts.)
>
> The client could then use the old ticket (before it expires) to get a new
> ticket. That way an attacker cannot get ahold of an unlimited use ticket
> but must continue to get new tickets from the client. (or reveal himself
> by registering for his own new tickets).
>
> There is another rule to obey here: have security levels associated with
> your passwords. This would seem to be a no-brainer, but I guess it's not.
> It's usually not very feasible to have a separate password for everything
> so people pick a few. If you do this, delegate one password (or set of
> passwords) as low security. Think about what kind of service this is and
> how your password is likely to be stored. Think about how much damage
> could be inflicted if blahblahblah.com accidentally lets out your chat
> password. Don't let passwords for systems with secure password schemes
> (such as UNIX) be used for those with insecure schemes such as Netscape.
> (Using any of those "remember my password" features violates this nostrum.)
>
> The wisdom of this rule was highlighted by this very same Real Server oops.
> In an attempt to demonstrate to a friend that he needed to subscribe to
> BugTraq, I logged in and grabbed his RS password. The disturbing thing is,
> I know that it's also a root password on some machines. Oops, a silly
> mistake has now been elevated to a catastrophe.
>
> Otherwise, use a separate password for absolutely everything and record
> them securely. That is to say, PGP encrypt them and take any steps
> necessary (such as disk wiping) to insure that it can only be recovered by
> someone who has the appropriate private key.
>
> Just my thoughts.
> .......................................................................
> : Bureaucracy is the enemy of innovation. : Trevor Schroeder :
> : -- Mark Sheperd : tschroed@acm.org :
> :........... http://www.zweknu.org/ for PGP key and more .............:
>
