Sophie

Sophie

distrib > Mandriva > 2010.1 > x86_64 > by-pkgid > 965e33040dd61030a94f0eb89877aee8 > files > 5167

howto-html-en-20080722-2mdv2010.1.noarch.rpm

<HTML
><HEAD
><TITLE
>Use good passwords</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Remote Serial Console HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Security"
HREF="security.html"><LINK
REL="PREVIOUS"
TITLE="Security"
HREF="security.html"><LINK
REL="NEXT"
TITLE="Obey Data Terminal Ready and Data Carrier Detect"
HREF="security-dtr.html"></HEAD
><BODY
CLASS="SECTION"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Remote Serial Console HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 9. Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security-dtr.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECTION"
><H1
CLASS="SECTION"
><A
NAME="SECURITY-PASSWORD"
></A
>9.1. Use good passwords</H1
><P
>Anyone that can guess the <SPAN
CLASS="ACRONYM"
>BIOS</SPAN
> password,
   the boot loader password, or the <SPAN
CLASS="SYSTEMITEM"
>root</SPAN
> password can get full control of
   the machine.  These should be different, unrelated, excellent
   passwords.  Random text and digits are by far the best choice.  You
   should never use a password that you think would return a hit from
   a search engine.<A
NAME="AEN2188"
HREF="#FTN.AEN2188"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></P
><P
>Guessing a user's password is only slightly less severe, as a
   hacker can obtain <SPAN
CLASS="SYSTEMITEM"
>root</SPAN
>
   access simply by waiting.  The hacker waits for a <SPAN
CLASS="QUOTE"
>"local
   exploit"</SPAN
> for a flaw in the operating system to appear and
   uses that exploit before the machine is patched.</P
><P
>Severely limit the number of users on the machine.  Ensure
   that only good passwords are chosen by using a fascist password
   checker such as a <A
HREF="http://www.users.dircon.co.uk/~crypto/"
TARGET="_top"
><SPAN
CLASS="APPLICATION"
>cracklib</SPAN
></A
>-based
   <A
HREF="http://www.kernel.org/pub/linux/libs/Linux-PAM-html/pam.html"
TARGET="_top"
><SPAN
CLASS="APPLICATION"
>PAM</SPAN
></A
>
   module.</P
><P
>You should write down the <SPAN
CLASS="ACRONYM"
>BIOS</SPAN
> password,
   the boot loader password and the <SPAN
CLASS="SYSTEMITEM"
>root</SPAN
> password.  Now you don't need to
   remember them, so there is no reason for them not to be totally
   random, unrelated, excellent passwords.  Fold the page, put it in
   an envelope and seal it.</P
><P
>Now we have turned a computer security problem into a
   physical security problem.  We know how to solve those problems:
   locks, keys, alarms, safes, guards, regular inspections.  If your
   site has staffed security then a good option is to leave the
   envelope in the care of the guard post with instructions to treat
   the envelope with the same procedures used for the site's master
   keys.  Smaller sites can use a safe, a cash box or a locked drawer.
   A thief forcing a locked drawer still leaves shows more apparent
   signs of entry and more clues to their identity than is left by a
   hacker behind a modem.</P
><P
>These three passwords are an important corporate asset.  If
   the machine is secure then forgetting the major passwords for the
   machine should result in a machine whose configuration cannot be
   altered by actions short of disassembly.  You should have written
   procedures controlling the generation, storage, lifetime and use of
   major passwords.</P
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN2188"
HREF="security-password.html#AEN2188"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>But don't submit your proposed password to a search engine!
     Sending passwords in plain text across the Internet isn't good,
     nor the possibility of having them appear in the logs of a search
     engine.</P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security-dtr.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Security</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Obey Data Terminal Ready and Data Carrier Detect</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional