This was originally posted at the TextDrive blog on May 7, 2005. Copying here for posterity.
Please consider your fellow servermates and avoid the use of weak passwords.
What Not To Do
Strong passwords are great. Cryptographically secure passwords are even cooler and highly encouraged. That said, under no circumstances should anyone be using something like “jason/jason” or “damelon/damelon” as their login/password combination.
Dictionary attacks have been monitored on these servers from the very early days and are considered “constant” today. Expect that if you are using a weak password for your account to be compromised by these attacks. This escalates the possibility that other users will be affected by your oversight. This is a very bad thing.
Choosing Good Passwords
Information about how to choose good passwords can be found in many places. A good summary can be found at the Australian Computer Emergency Response Team’s site here.
Choice Selections
“It has often been said that ‘good fences make good neighbors.’ On a Unix system, many users also say that “I don’t care who reads my files, so I don’t need a good password.’ Regrettably, leaving an account vulnerable to attack is not the same thing as leaving files unprotected. In the latter case, all that is at risk is the data contained in the unprotected files, while in the former, the whole system is at risk.”—Klein, 1991
“I remember seeing a great phrase on the Mexican Hackers Emergency Response Team page, which went something like ‘Passwords are like underwear: don’t share them, hide them under your keyboard, or hang them from your monitor. Above all, change them frequently’”—SecurityFocus
Thanks, Terrell
References
[1] AusCERT. Choosing Good Passwords. (2001) http://www.auscert.org.au/render.html?it=2260
[2] Klein, Daniel V. (1991) Foiling the Cracker; A Survey of, and Improvements to Unix Password Security. Proceedings of the 14th DoE Computer Security Group. May 1991. http://www.klein.com/dvk/publications/
[3] SecurityFocus. (2001) Password Crackers – Ensuring the Security of Your Password. http://www.securityfocus.com/infocus/1192
[4] Smith, Richard E. (2002) The Strong Password Dilemma. http://www.smat.us/sanity/pwdilemma.html
View blog reactions