Steve,

>Date: Mon, 07 Apr 2008 10:01:57 -0600
>From: Steve Phillips <steve@(protected)>
>
>mark wrote:
>> Ok, I've never had to create a thousand new users....
>>
>> Paul M. Whitney wrote:
>>> In that wrapper script, you could also generate a changeme type password but
>>> also append some unique character to each one such as first and last letter
>>
>> Or the student's ID would work (unless the college uses SSN (WHICH THEY SHOULD
>> NOT), in which case it's back to generating one.
>
>Sorry to be pedantic but..
>
>Student ID ? easy to get - 'hi, whats your student ID number ?' or 'hey,
>can I see your student ID card', people don't treat these

One student to another? Are that many of them that naieve?

> things as
>'private' and if you are using this as a first time password, it would
>be relatively trivial to crack if someone were determined.
>
>And appending a couple of characters ? it would take seconds for a
>dictionary bash to go through every possible combination, and while this
>_may_ show up in the logs, how often do you sit at your desk simply
>watching logs scroll, I am guessing you have real work to do.
>
Sounds like a job for a perl script to me.
<snip>
>as soon as you work out a password 'system' then someone can reverse
>engineer it and exploit it, completely random, changed on

True, or you can go for Real Security, as they have at work: I have an entire page of freaking passwords for different system  (except for the "lab", of which I am one of two admins, and I put LDAP in, so there's only one to worry 'bout). I have *never* had to write passwords down before, but with so many different systems, with different requirements (change it every month/90 days/six months, oh, 5/8 chars difference is "too similar"/oh, it can't start or end with a number, and btw, you have to stand on one leg and rub your tummy while typing it in...), they've really helped the social engineering of passwords, since I assume most folks are writing them down and putting them somewhere convenient.
<snip>
>pair them with the username in a file somewhere, print them out, cut the
>resulting print out up and hand them to the students when they first
>arrive. If the student cant find it within themselves to type 8
>characters on a keyboard when they first arrive then they don't deserve
>to use the computers.
>
Yup. You *do* know the story about the Apple tech support guy and the guy with the blank screen, right?
<snip>
>This has little to do with assisting in preventing account compromises
>as most accounts would be compromised within the 15 day period :-)

*snort*
<snip>

 mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)
https://www.redhat.com/mailman/listinfo/redhat-list