LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 11-05-2012, 07:46 PM   #1
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Stretch/Sid, Linux Mint DE
Posts: 4,631

Rep: Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711Reputation: 711
Junior hacker strikes again!


You might have read before that my home network is far from safe due to the presence and the curiosity of my 9-year old son Grep:
http://www.linuxquestions.org/questi...martass-942264

Today I was called by a friend and colleague system administrator who regularly skypes with my son. He asked if I knew that my son knew my password on the home network. WTF? I keep that secret from him to avoid him logging in as me on the network and use sudo commands to circumvent the restriction I set for him. And of course keep from peeking in really confidential files I keep on the home server. I have installed NIS on the network, so he can login using my password from any workstation.

My son was quickly to admit that he held the password indeed, and also he told me how he discovered it. He also said he used it from his own computer and not mine so I would discover it in auth.log. He had no desire as to keep it secret.

When I installed his mother's netbook at the time I booted into Windows 7 once to see if it was functional. I did not remove Windows 7, because if the netbook would ever need warranty repair, I wanted to show Asus I was running Windows, not Linux. I know service centers don't understand Linux and blame any defect on Linux.

When I started Windows for the first time I entered my user name and regular password. (Not smart!). Windows helps users with unsafe behavior. So I had to enter a hint for the password. OK, no problem to come up with some password, but it is a problem to remember it after 6 months. Therefor I used my regular password and also entered the correct hint.

One day my son was using (illegally) his mom's netbook and inadvertently started Windows. There was only one user (me) and when he didn't know the password he was hinted. The hint was My favorite candy.

This didn't help him enough, but numerous times he has been looking over my shoulder when I was logging in on one of the workstations. They are routinely locked so I have to enter the password often.

I can type quite fast, but not so fast he could not intercept the first 5 characters at some time. This combined with the Windows hint was enough for him.

Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.

Last edited by jlinkels; 11-06-2012 at 04:43 AM.
 
Old 11-05-2012, 09:52 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,850
Blog Entries: 36

Rep: Reputation: 455Reputation: 455Reputation: 455Reputation: 455Reputation: 455
Quote:
Originally Posted by jlinkels View Post
Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.
Funny stories; I read both . One thing I'd like to add that passwords are only "dictionary" passwords if they're single words. The password "IamCrazy!" is not a dictionary word so therefore is a decently strong password since it is 8 characters, contains upper and lowercase letters, and a symbol. You could even add the numbers 123 and then it would be even more secure with the added base of characters like "123IamCrazy!". Sentences make for strong passwords (and spaces count as characters on Linux).

Hopefully, that hint will help you to create and remember stronger passwords. "123IamCrazy!" has a password strength of 92^12 while "IlmwsmIwnbh" only has a password strength of 52^11. The latter being easily cracked in a few hours of brute force of hashes (i.e. alpha rainbow tables) while the former can't be cracked by todays modern computers through brute force. I can get into the math of it if you want but I doubt you'll really care to know.

SAM

Last edited by sag47; 11-05-2012 at 10:01 PM.
 
Old 11-05-2012, 10:17 PM   #3
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: Gentoo, LFS, Debian,Ubuntu
Posts: 1,537

Rep: Reputation: 87
Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.

I read your other post and saw some of the other comments on sudo. Sudo really can be an evil thing when it comes to security but few users actually take the time to configure it to not allow everything to be run with it. You can limit sudo so that only one or two commands on the system are able to be executed by it, you just have to edit the sudoers config file. I have actually gotten into arguments on this site with people who swear that you cannot do this, but its something I always do when I setup a system so that I can shutdown the system from X windows. Sudo on my box is only allowed to run shutdown and reboot. Many distributions are also guilty of abusing sudo and leaving it open to everyone...
 
Old 11-06-2012, 01:29 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
I am following your son's progress with interest, and, to be frank, admiration (although I have also mentally filed it in the category "breeding, potential dangers of").

In terms of password strength, I tend, these days, to use memorable word fragments combined. These words are not necessarily from a single language and not necessarily correctly spelled and I usually throw in a command sequence from a command line program, just to top up the entropy a bit. I find this easy enough to work with as far as, eg, encryption for my router is concerned (which I need to recall moderately frequently), but the hundreds of passwords and account names that exist on the internet would defeat me without some kind of password manager.
 
Old 11-06-2012, 05:52 AM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,406

Rep: Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396Reputation: 2396
As sag47 said, the maths shows that longer relatively plain passwds are actually more secure than short complex ones.
Of course a passwd mgr (secured by a really secure master passwd) is handy.
On MS I recommend KeePass. I believe there's a Linux version KeepassX, but haven't tried it yet.
Quote:
The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.
http://keepass.info/index.html
https://www.keepassx.org/
 
Old 11-06-2012, 12:20 PM   #6
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
Quote:
Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.
You have on of those also? I thought mine was unique.

To the OP, maybe a good punishment would make him a little more mindful of you.
 
Old 10-17-2016, 12:41 AM   #7
glinkels
LQ Newbie
 
Registered: May 2012
Location: /home/glinkels
Distribution: Debian
Posts: 12

Rep: Reputation: Disabled
Funny, I have no interest in Minecraft anymore and thanks to my dad (kind of) he got me into programming.

Thanks Dad.

-glinkels

PS. A few weeks later I discovered I could use startx :-)

Last edited by glinkels; 10-17-2016 at 12:43 AM.
 
Old 10-17-2016, 08:12 AM   #8
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware has beern Main OpSys for decades while testing others to keep up
Posts: 1,463

Rep: Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399Reputation: 1399
The easiest and safest way to deal with so many passwords for compromising ability to recall your own but making it hard for someone else is to use a phrase instead of a single word, vary case on letters and use numbers as well and make Windows hints cryprtic and personal. Better... use a Password Keeper app that's encrypted and locked by a good master password that isn't an obvious guess by anyone that knows you.

With modern computing power, passwords can be quite easy to break but it is orders of magnitude harder if they are longer, not merely one word, have mixed case and letters and numbers mixed. I've worked on computers for clients whose password was just "me" and the hint was also "me" (he thought that was clever and it might be if a real hacker would even bother with the hint) that takes barely a second to break.

Last edited by enorbet; 10-17-2016 at 08:14 AM.
 
Old 10-17-2016, 10:31 AM   #9
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 5,706
Blog Entries: 12

Rep: Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973Reputation: 1973
There's plenty of guidance out there about how to keep passwords strong, follow them.

Not saying what follows is your experience, however, just some thoughts:

Regarding kids and their ever adapting abilities ... I cringe very much at reading about a "friend" sysadmin regularly skyping with your 9 year old son, even if that time is far in the past. Not in any creepy way, I just feel that a kid at 9 is "a kid" and they should not be skyping, they should not be surfing. These kids do not need to be super kids as far as technology. My 20 year old daughter learned very well how to use her iPhone at age 18, she's extremely non-technical, but she learned how to set up iTunes, and all that crap, and a vast 2 years later regrets that choice so very much and now she proclaims that her next phone will be an Android. My point being that they are capable of learning stuff, there's no rush. Just my humble opinion. To note about that, her next older brother was extremely aggressive about disrupting the household, to the point he got punished, and then to the point that he reset the network equipment in his desperate attempts to get himself backdoors.

Deactivation of the WIFI, unplugging it, and putting it away, coupled with zero hard wiring to anywhere useful to him took care of that problem, and ultimately led to some balance where he now understands the impact of ill advised, and rash actions.

And I guess I benefit from the perspective which parallels my parents. To go to their example first, my parents were Great Depression children, so anything extra was something to be treasured. For me, when I grew up and moved out, one wired telephone was a luxury, cable did not exist, Internet did not exist. You paid rent, electricity, heating, (A/C didn't really exist), and if you had enough, you could have a phone. So when I found myself doing battle against my 14-16 year old son for supremacy of the home network, I settled the war by removing the home network until someone got a job, paid for their own cell phone, did their "so there!" gesture at me, and learned the costs associated with ever changing services, or tinkering so very much with their phone that they invalidated the product, and so forth. Not oddly enough now, he's very technical, but leaves well enough alone, because he rooted his first iPhone so very much that he lost $$ after needing to get it fixed so very much. Took a few iterations though, ... ah, if I were to do it again ... well if they give me grandkids I can "try" to help
 
Old 10-17-2016, 10:13 PM   #10
glinkels
LQ Newbie
 
Registered: May 2012
Location: /home/glinkels
Distribution: Debian
Posts: 12

Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
There's plenty of guidance out there about how to keep passwords strong, follow them.

Not saying what follows is your experience, however, just some thoughts:

Regarding kids and their ever adapting abilities ... I cringe very much at reading about a "friend" sysadmin regularly skyping with your 9 year old son, even if that time is far in the past. Not in any creepy way, I just feel that a kid at 9 is "a kid" and they should not be skyping, they should not be surfing. These kids do not need to be super kids as far as technology. My 20 year old daughter learned very well how to use her iPhone at age 18, she's extremely non-technical, but she learned how to set up iTunes, and all that crap, and a vast 2 years later regrets that choice so very much and now she proclaims that her next phone will be an Android. My point being that they are capable of learning stuff, there's no rush. Just my humble opinion. To note about that, her next older brother was extremely aggressive about disrupting the household, to the point he got punished, and then to the point that he reset the network equipment in his desperate attempts to get himself backdoors.

Deactivation of the WIFI, unplugging it, and putting it away, coupled with zero hard wiring to anywhere useful to him took care of that problem, and ultimately led to some balance where he now understands the impact of ill advised, and rash actions.

And I guess I benefit from the perspective which parallels my parents. To go to their example first, my parents were Great Depression children, so anything extra was something to be treasured. For me, when I grew up and moved out, one wired telephone was a luxury, cable did not exist, Internet did not exist. You paid rent, electricity, heating, (A/C didn't really exist), and if you had enough, you could have a phone. So when I found myself doing battle against my 14-16 year old son for supremacy of the home network, I settled the war by removing the home network until someone got a job, paid for their own cell phone, did their "so there!" gesture at me, and learned the costs associated with ever changing services, or tinkering so very much with their phone that they invalidated the product, and so forth. Not oddly enough now, he's very technical, but leaves well enough alone, because he rooted his first iPhone so very much that he lost $$ after needing to get it fixed so very much. Took a few iterations though, ... ah, if I were to do it again ... well if they give me grandkids I can "try" to help
Then again, you were born in the past where maybe that was normal. Difference in age and culture? Also, we did not skype all too much, I just asked him for help here and there.

-glinkels
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
junior linuxer wolflinux2008 LinuxQuestions.org Member Intro 0 12-29-2010 06:44 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration