Root passwords

[Dave Dittrich]

On Mon, 21 Aug 2000, M. Oesterwinter wrote:

> I am starting to admin a bunch of servers, and I am wondering what people
> do to keep track of root passwords.   I haven't been using the
> same password on different servers due to the fear of someone hacking one
> of my servers and getting the password.  What does everyone do?

It is usually a Good Idea to have the password differ, even if by one
character, between systems, since the compromise of one (usually on a
Friday afternoon) doesn't precipitate you having to walk over to every
other system and change their passwords at the same time.

The algorithm I use is to take three letters from two entirely unrelated
words, separate them with a puncuation character (adds to seven
characters), then insert a single character that is related to the host
in question (e.g., second character, second to last character, first
vowel, etc.) someplace in the sequence.  You can then differentiate
between your normal account and root by capitalization differences.
The result is essentially kind of close to random sequences.

Use of single words (especially sexual, related to sci-fi, foods,
etc. -- ever read cracker's dictionaries?) is strictly verboten (yes,
don't even use "foreign" words, thinking nobody will ever know the Urdu
word for "wizard").  I have links to papers on password (in)security
studies in the Unix System Security Checklist on my home page.

--
Dave Dittrich                           Computing & Communications
dittrich at cac.washington.edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5