|
|
Sponsored Content
Special Forums
Cybersecurity
Password rules not effective
Post 302728025 by rbatte1 on Wednesday 7th of November 2012 08:42:24 AM
11-07-2012
Moderator
Password rules not effective
I was looking for a good list of words to exclude people from using as passwords, i.e. those that could be guessed easily. I'm working through a whole bunch of suggestions from skullsecurity.org, but I managed to find this page that seems to suggest I have more options than I thought. 
I have a server built at AIX 6.1.3.0, but recently brought up to AIX 6.1.7.5, so I think I qualify, but there have been no changes to /etc/security/user by the update.
Adding a record in the default: stanza for minloweralpha has no effect.
Back on quest for a dictionary list, the suggestions on the document are shown for excluding the sequence "123" from a user selected password, but I can't get that to work either. Does anyone have it working and can point out why I am being a fool? 
My personal stanza in /etc/security/user has a dictionlist definition and I can prove that it is effective for excluding specific words, such as password but I'd prefer to craft some woolly rules to exclude our usual suspects like "July2012" etc.
Am I just missing something obvious? I have just installed bos.data from the original media, which has given me a /usr/share/dict/words file full of all sorts of stuff, but they are all explicit exclusions and I still can't get either of the above to work.
..... and why does : wall : appear as a question box now?
Many apologies and thanks, in advance,
Robin
Liverpool/Blackburn
UK
I have a server built at AIX 6.1.3.0, but recently brought up to AIX 6.1.7.5, so I think I qualify, but there have been no changes to /etc/security/user by the update.
Adding a record in the default: stanza for minloweralpha has no effect.
Back on quest for a dictionary list, the suggestions on the document are shown for excluding the sequence "123" from a user selected password, but I can't get that to work either. Does anyone have it working and can point out why I am being a fool? My personal stanza in /etc/security/user has a dictionlist definition and I can prove that it is effective for excluding specific words, such as password but I'd prefer to craft some woolly rules to exclude our usual suspects like "July2012" etc.
Am I just missing something obvious? I have just installed bos.data from the original media, which has given me a /usr/share/dict/words file full of all sorts of stuff, but they are all explicit exclusions and I still can't get either of the above to work.
..... and why does : wall : appear as a question box now?
Many apologies and thanks, in advance,
Robin
Liverpool/Blackburn
UK
Last edited by rbatte1; 11-08-2012 at 08:41 AM..
|
|
7 More Discussions You Might Find Interesting
1. Cybersecurity
I would like to give execution rights for a script to one user. (that's the easy part...)
When that user is running the script, I would like the effective user ID to be that of the file-owner. Is this possible? (6 Replies)
Discussion started by: hilmel
6 Replies
2. UNIX for Dummies Questions & Answers
Hey all, I'm glad to have found this forum as I'm trying to dive head first into Solaris 8 - been working with it for a few months now and am finally getting a bit comfortable with the layout and concepts. In any case, on to the questions... :D
I was wondering how I would go about displaying... (3 Replies)
Discussion started by: QuadMonk
3 Replies
3. UNIX for Dummies Questions & Answers
what's the most efficient and effective search for a file in a dir ?
I see many guys use this
# find - print
or something as such ? and sometimes pipe it to something else ?
Is there a better way of using "grep" in all of this ?
thanks
simon2000 (3 Replies)
Discussion started by: simon2000
3 Replies
4. UNIX for Dummies Questions & Answers
Here is my situation. On a RedHat 7.3 box, I have a user named jody.
When I log in with jody and type in "id", I get the expected output:
uid=1(jody) gid=1(jody) groups=1(jody), 510(test)
However, I cannot figure which "id" option allows me to change the effective gid. I tried the options... (2 Replies)
Discussion started by: Jody
2 Replies
5. UNIX for Dummies Questions & Answers
Using Solaris 9 and 10.
What we want to do is set up global rules for our password files to restrict all users, not only new ones set up with the rules but also the ones that have been sitting on the system for years.
Is there a global way to force all users to change their password every 90... (1 Reply)
Discussion started by: LordJezo
1 Replies
6. UNIX for Dummies Questions & Answers
What are the rules for choosing a new password when the old one expires? I notice when I try to use a password that is similar to my previous one then it won't take it. Got me wondering what the exact rules are- as in, how different does it have to be from previous passwords. (1 Reply)
Discussion started by: zTodd
1 Replies
7. UNIX for Dummies Questions & Answers
Can anyone explain me in details of Real and Effective IDs (6 Replies)
Discussion started by: kkalyan
6 Replies
LEARN ABOUT DEBIAN
otpw-gen
OTPW-GEN(1) General Commands Manual OTPW-GEN(1) NAME
otpw-gen - one-time password generator SYNOPSIS
otpw-gen [ options ] DESCRIPTION
OTPW is a one-time password authentication system. It can be plugged into any application that needs to authenticate users interactively. One-time password authentication is a valuable protection against password eavesdropping, especially for logins from untrusted terminals. Before you can use OTPW to log into your system, two preparation steps are necessary. Firstly, your system administrator has to enable it. (This is usually done by configuring your login software (e.g., sshd) to use OTPW via the Pluggable Authentication Module (PAM) configura- tion files in /etc/pam.d/.) Secondly, you need to generate a list of one-time passwords and print it out. This can be done by calling otpw-gen | lpr or something like otpw-gen -h 70 -s 2 | a2ps -1B -L 70 --borders no if more control over the layout is desired. You will be asked for a prefix password, which you need to memorize. It has to be entered immediately before the one-time password. The prefix password reduces the risk that anyone who finds or steals your password printout can use that alone to impersonate you. Each one-time password will be printed behind a three digit password number. Such a number will appear in the password prompt when OTPW has been activated: Password 026: When you see this prompt, enter the memorized prefix password, followed immediately by the one-time password identified by the number. Any spaces within a password have only been inserted to improve legibility and do not have to be copied. OTPW will ignore the difference between the easily confused characters 0O and Il1 in passwords. In some situations, for example if multiple logins occur simultaneously for the same user, OTPW defends itself against the possibility of various attacks by asking for three random passwords simultaneously. Password 047/192/210: You then have to enter the prefix password, followed immediately by the three requested one-time passwords. This fall-back mode is acti- vated by the existence of the lock file ~/.otpw.lock. If it was left over by some malfunction, it can safely be deleted manually. Call otpw-gen again when you have used up about half of the printed one-time passwords or when you have lost your password sheet. This will disable all remaining passwords on the previous sheet. OPTIONS
-h number Specify the total number of lines per page to be sent to standard output. This number minus four header lines determines the number of rows of passwords on each page. The maximum number of passwords that can be printed is 1000. (Minimum: 5, default: 60) -w number Specify the maximum width of lines to be sent to standard output. This parameter determines together with the password length the number of columns in the printed password matrix. (Minimum: 64, default: 79) -s number Specify the number of form-feed separated pages to be sent to standard output. (Default: 1) -e number Specify the minimum entropy of each one-time password in bits. The length of each password will be chosen automatically, such that there are at least two to the power of the specified number possible passwords. A value below 30 might make the pass- words vulnerable to a brute-force guessing attack. If the attacke might have read access to the ~/.otpw file, the value should be at least 48. Paranoid users might prefer long high-security passwords with at least 60 bits of entropy. (Default: 48) -p0 Generate passwords by transforming a random bit string into a sequence of letters and digits, using a form of base-64 encod- ing (6 bits per character). (Default) -p1 Generate passwords by transforming a random bit string into a sequence of English four-letter words, each chosen from a fixed list of 2048 words (2.75 bits per character). -f filename Specify a file to be used instead of ~/.otpw for storing the hash values of the generated one-time passwords. AUTHOR
The OTPW package, which includes the otpw-gen progam, has been developed by Markus Kuhn. The most recent version is available from <http://www.cl.cam.ac.uk/~mgk25/otpw.html>. SEE ALSO
pam(8), pam_otpw(8) 2003-09-30 OTPW-GEN(1)