LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 11-05-2012, 07:46 PM   #1
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 4,087

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Junior hacker strikes again!


You might have read before that my home network is far from safe due to the presence and the curiosity of my 9-year old son Grep:
http://www.linuxquestions.org/questi...martass-942264

Today I was called by a friend and colleague system administrator who regularly skypes with my son. He asked if I knew that my son knew my password on the home network. WTF? I keep that secret from him to avoid him logging in as me on the network and use sudo commands to circumvent the restriction I set for him. And of course keep from peeking in really confidential files I keep on the home server. I have installed NIS on the network, so he can login using my password from any workstation.

My son was quickly to admit that he held the password indeed, and also he told me how he discovered it. He also said he used it from his own computer and not mine so I would discover it in auth.log. He had no desire as to keep it secret.

When I installed his mother's netbook at the time I booted into Windows 7 once to see if it was functional. I did not remove Windows 7, because if the netbook would ever need warranty repair, I wanted to show Asus I was running Windows, not Linux. I know service centers don't understand Linux and blame any defect on Linux.

When I started Windows for the first time I entered my user name and regular password. (Not smart!). Windows helps users with unsafe behavior. So I had to enter a hint for the password. OK, no problem to come up with some password, but it is a problem to remember it after 6 months. Therefor I used my regular password and also entered the correct hint.

One day my son was using (illegally) his mom's netbook and inadvertently started Windows. There was only one user (me) and when he didn't know the password he was hinted. The hint was My favorite candy.

This didn't help him enough, but numerous times he has been looking over my shoulder when I was logging in on one of the workstations. They are routinely locked so I have to enter the password often.

I can type quite fast, but not so fast he could not intercept the first 5 characters at some time. This combined with the Windows hint was enough for him.

Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.

Last edited by jlinkels; 11-06-2012 at 04:43 AM.
 
Old 11-05-2012, 09:52 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Philly, PA
Distribution: Kubuntu x64, RHEL, Fedora Core, FreeBSD, Windows x64
Posts: 1,431
Blog Entries: 33

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Quote:
Originally Posted by jlinkels View Post
Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.
Funny stories; I read both . One thing I'd like to add that passwords are only "dictionary" passwords if they're single words. The password "IamCrazy!" is not a dictionary word so therefore is a decently strong password since it is 8 characters, contains upper and lowercase letters, and a symbol. You could even add the numbers 123 and then it would be even more secure with the added base of characters like "123IamCrazy!". Sentences make for strong passwords (and spaces count as characters on Linux).

Hopefully, that hint will help you to create and remember stronger passwords. "123IamCrazy!" has a password strength of 92^12 while "IlmwsmIwnbh" only has a password strength of 52^11. The latter being easily cracked in a few hours of brute force of hashes (i.e. alpha rainbow tables) while the former can't be cracked by todays modern computers through brute force. I can get into the math of it if you want but I doubt you'll really care to know.

SAM

Last edited by sag47; 11-05-2012 at 10:01 PM.
 
Old 11-05-2012, 10:17 PM   #3
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,485

Rep: Reputation: 66
Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.

I read your other post and saw some of the other comments on sudo. Sudo really can be an evil thing when it comes to security but few users actually take the time to configure it to not allow everything to be run with it. You can limit sudo so that only one or two commands on the system are able to be executed by it, you just have to edit the sudoers config file. I have actually gotten into arguments on this site with people who swear that you cannot do this, but its something I always do when I setup a system so that I can shutdown the system from X windows. Sudo on my box is only allowed to run shutdown and reboot. Many distributions are also guilty of abusing sudo and leaving it open to everyone...
 
Old 11-06-2012, 01:29 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,900

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
I am following your son's progress with interest, and, to be frank, admiration (although I have also mentally filed it in the category "breeding, potential dangers of").

In terms of password strength, I tend, these days, to use memorable word fragments combined. These words are not necessarily from a single language and not necessarily correctly spelled and I usually throw in a command sequence from a command line program, just to top up the entropy a bit. I find this easy enough to work with as far as, eg, encryption for my router is concerned (which I need to recall moderately frequently), but the hundreds of passwords and account names that exist on the internet would defeat me without some kind of password manager.
 
Old 11-06-2012, 05:52 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
As sag47 said, the maths shows that longer relatively plain passwds are actually more secure than short complex ones.
Of course a passwd mgr (secured by a really secure master passwd) is handy.
On MS I recommend KeePass. I believe there's a Linux version KeepassX, but haven't tried it yet.
Quote:
The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.
http://keepass.info/index.html
https://www.keepassx.org/
 
Old 11-06-2012, 12:20 PM   #6
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,744

Rep: Reputation: 71
Quote:
Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.
You have on of those also? I thought mine was unique.

To the OP, maybe a good punishment would make him a little more mindful of you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
junior linuxer wolflinux2008 LinuxQuestions.org Member Intro 0 12-29-2010 06:44 PM


All times are GMT -5. The time now is 07:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration