jslayton01
asked on
Password Aging
I DO NOT use my ROOT account's password or I do not use ROOT at all (except for administrative tasks), could the ROOT's password be sniffed EVEN if its NOT in use most of the time? (In other words, IDLE). If ROOT account is left IDLE most of the time, will it be vulnerable for password attacks?
In other words, I change my password under my limited user account every 60-days. But, I dont change the ROOT's password because I do not use it ONLY for emergencies and stuff like that. My question is, will it be OK to just leave ROOT's password UNCHANGED and only change my user password every 60-days???
Hope this is clear.
In other words, I change my password under my limited user account every 60-days. But, I dont change the ROOT's password because I do not use it ONLY for emergencies and stuff like that. My question is, will it be OK to just leave ROOT's password UNCHANGED and only change my user password every 60-days???
Hope this is clear.
Its good to change the Root passwd time to time. First make sure no one has physical access to ur system else you and put the security on single user mode also. Then tight the security of remote access disable the root access from ssh and ftp services etc.
I agree with mngrow. Even if it is not possible to directly login as root via ssh, if someone can login as another user and then just try all possible password combinations to su into root, it is possible to crack the password that way (It will take some time, but eventually it may work). For that reason you should use a long and complicated password, which will take much longer to crack. If you regularly change the password you'll make the work for such an attacker much harder and it'll take so long that it is unlickely the attacker will ever crack it before you have changed it again. It is also a good idea to regularly check your logs which will show such attacks and let you take action in time.
My 5 cents to rindi:
In Your scenario, isn't it that possible, that changing password will actually help attacker? The attacker does not know the hash from /etc/shadow file, so the attacker will not reset it's password list to check. In my view it's possible, that in fact root can change it's password to next on the attacker list. Isn't it?
Then the first rule against crackers is to create really hard password, ie. whole sentence, not changing it frequently.
jslayton01: If You use Your root account so rarely, then maybe You should remove root password at all? Then configure 'sudo' like programm to allow You to do some tasks. Then You have to protect Your password, like it was root's - but You do that - right ?
In Your scenario, isn't it that possible, that changing password will actually help attacker? The attacker does not know the hash from /etc/shadow file, so the attacker will not reset it's password list to check. In my view it's possible, that in fact root can change it's password to next on the attacker list. Isn't it?
Then the first rule against crackers is to create really hard password, ie. whole sentence, not changing it frequently.
jslayton01: If You use Your root account so rarely, then maybe You should remove root password at all? Then configure 'sudo' like programm to allow You to do some tasks. Then You have to protect Your password, like it was root's - but You do that - right ?
And by 'remove root password at all' I mean putting star, or exclamation mark in place of root password hash in /etc/shadow - just for sure.
if you don't use it, anyone can't sniff password , and you don't Need to change it.
v_zahiri:
not using password is not enought. It's vital that the password is hard to crack also, or like I suggested does not exists at all!
not using password is not enought. It's vital that the password is hard to crack also, or like I suggested does not exists at all!
Make the password strong.
If you do not use it often, then it is less likely to be compromised and you do
not need to change it often.
The more often a password is used, the more often you should consider changing
it.
The main reason passwords should be changed often is that in routine use, information about the password may slip out, for example, someone might see you type a
character or two of your password or notice how many characters you typed by hearing
the individual keypresses, or some networked application you use might give some
discernable pattern that an attacker could eventually use to estimate the number of
characters in your password.
Changing the password freshens the security and secrecy behind it.
If you do not use it often, then it is less likely to be compromised and you do
not need to change it often.
The more often a password is used, the more often you should consider changing
it.
The main reason passwords should be changed often is that in routine use, information about the password may slip out, for example, someone might see you type a
character or two of your password or notice how many characters you typed by hearing
the individual keypresses, or some networked application you use might give some
discernable pattern that an attacker could eventually use to estimate the number of
characters in your password.
Changing the password freshens the security and secrecy behind it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using strong passwords which includes symbols...So if I use really strong passwords, I would be less likely to get cracked?
Yea, Like most cracking programs just use dictionary words one with ; and # in make it very very hard to break.
Damn me, look into my responce:
> Then the first rule against crackers is to create really hard password, ie. whole sentence, not changing it frequently.
Hence longer than 8 chars is better than whole sentence, ugch...
And moreover, no matter what length of the password is, if You use it frequently, change it from time to time...
> Then the first rule against crackers is to create really hard password, ie. whole sentence, not changing it frequently.
Hence longer than 8 chars is better than whole sentence, ugch...
And moreover, no matter what length of the password is, if You use it frequently, change it from time to time...