Blacklisting IPs
John Conover
conover at rahul.net
Mon Jan 10 10:04:42 PST 2005
Louis LeBlanc writes:
>
> A practice one of my former co-workers liked was to pick a song and pull
> letters out; take Fleetwood Mac: "Don't Stop Thinking About Tomorrow".
> You could get "DSTAT", turn that into something else, like "dSt4T".
> Pretty short, but definitely not a dictionary word. You could even take
> more letters from the next line" "Don't Stop, It'll Soon Be Here" and get
> "dSt4TDs1SbH", or any number of derivations. If you forget the actual
> password, your song is an excellent hint.
>
I think that comes from RFC1244, (Site Security Handbook,) which is a
pretty good security SOP for *_general_* 'Net users.
The stuff 1244 suggests is not perfect, by any means, but is a
relatively good compromise between security, usability, and
operational costs.
For example, to keep sysadmin phone calls on forgotten passwds to a
minimum, 1244 suggests the words in a user's favorite song, ('cause
folk's minds remember the words,) to seven letters-maybe with
capitalization. For example, if the "Star Spangled Banner" is the
'fav, then a passwd would be "oH#saY#caN#".
If logins must be updated periodically, then the user's next passwd
would be, "yoU#See", and so on.
Its certainly not perfect[1], but its cheap to administer, easy to
use, etc., and realatively hard to crack by algorithmic means-at least
without filling up the log files, giving the sysadm a "heads up" to
type something beginning with "block ..."
1244 has a lot of cute little security things like that.
John
[1] Yea, I've tried a passwd policy of denied vowel-consonant
relationships, (e.g., words.) Not only did I have a lot of phone calls
on forgotten passwds, I gained credentials as an English teacher.
--
John Conover, conover at rahul.net, http://www.johncon.com/
More information about the freebsd-questions
mailing list