Empty root password

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Empty root password

Peter Fraser-2
I was very surprised, that when I was installing
a 3.9 system, that you can use an empty root password

I accidentally entered a 'return' when it asked for the
root password, so I entered a 'return" again when
I was asked to repeat the password, thinking that
a empty password would be denied, and I would be asked
again.

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Tony Aberenthy
Peter Fraser wrote:
>
> I was very surprised, that when I was installing
> a 3.9 system, that you can use an empty root password
>
> I accidentally entered a 'return' when it asked for the
> root password, so I entered a 'return" again when
> I was asked to repeat the password, thinking that
> a empty password would be denied, and I would be asked
> again.

The folks at OpenBSD understand security.
A password is only one way of securing root access.
(I'd guess it to be one of the poorer methods available)

Assuming that root is secured, physically,
I suspect that a root password is actually more of a
security threat (what else has that password?)
If the password is blank, you know it's blank,
and you take appropriate measures.

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Jonathan Glaschke-2
In reply to this post by Peter Fraser-2
On Sat, May 06, 2006 at 03:14:56PM -0400, Peter Fraser wrote:
> I was very surprised, that when I was installing
> a 3.9 system, that you can use an empty root password
>
> I accidentally entered a 'return' when it asked for the
> root password, so I entered a 'return" again when
> I was asked to repeat the password, thinking that
> a empty password would be denied, and I would be asked
> again.
>
Well, I actually think an empty password is a very good idea.

Think of somebody who burgles your house to steal your privat data.  When
your computer asks him to enter the password he sure will try the well
known standard passwords like "god", "secret" and "sex".  Or maybe
"swordfish".  But have you ever seen a film where someone was "hacked" by
just typing nothing but enter?

Let's play safe.  Take a post-it and label it with the name of a woman
you know.  Then add a number at the and prepend it with "password:",
like this: Password Marie5.

He will try "Marie5", then "marie5", "Marie_five" and probably "5Mary"
or "Password Marie5" but he sure won't try "".

Try it, it works.

--
 | /"\   ASCII Ribbon   | Jonathan Glaschke - Lorenz-Goertz-Stra_e 71,
 | \ / Campaign Against | 41238 Moenchengladbach, Germany;
 |  X    HTML In Mail   | jabber: [hidden email]
 | / \     And News     | http://jonathan-glaschke.de/

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Christian Pedaschus
In reply to this post by Peter Fraser-2
lesson today:
if you don't want the first entered pwd, enter something different on
the second pass, and it WILL ask you again ;)



Peter Fraser wrote:

>I was very surprised, that when I was installing
>a 3.9 system, that you can use an empty root password
>
>I accidentally entered a 'return' when it asked for the
>root password, so I entered a 'return" again when
>I was asked to repeat the password, thinking that
>a empty password would be denied, and I would be asked
>again.

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Damian Gerow
In reply to this post by Jonathan Glaschke-2
Thus spake Jonathan Glaschke ([hidden email]) [06/05/06 16:58]:
: Think of somebody who burgles your house to steal your privat data.  When
: your computer asks him to enter the password he sure will try the well
: known standard passwords like "god", "secret" and "sex".  Or maybe
: "swordfish".  But have you ever seen a film where someone was "hacked" by
: just typing nothing but enter?

I've done it many times.  Most persons I know of give it a shot.  In fact,
there was an interview just posted with the guy who wormed his way into
various Military computers, and he used blank passwords to do so.

Movies != Real Life

: He will try "Marie5", then "marie5", "Marie_five" and probably "5Mary"
: or "Password Marie5" but he sure won't try "".
:
: Try it, it works.

*gak*

I'll refrain from entering the typical debate and leave it at this:

Whether or not it works depends *entirely* on your threat model.  It sure as
heck wouldn't work in mine.

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Eric Furman-2
In reply to this post by Peter Fraser-2
--- Peter Fraser <[hidden email]> wrote:

> I was very surprised, that when I was installing
> a 3.9 system, that you can use an empty root
> password
>
> I accidentally entered a 'return' when it asked for
> the
> root password, so I entered a 'return" again when
> I was asked to repeat the password, thinking that
> a empty password would be denied, and I would be
> asked
> again.

This is a feature, not a bug.
And I'm not being sarcastic. :-)
What if you have a test machine not connected
to any network and is physically secure
and you need to log on as root alot. It would
be nice to not have to enter any password if
you didn't want to. This is normal UNIX
behaviour. The OpenBSD people aren't going
to 'force' you to do everything securely.
They just give you the means and tools
to be so. It's up to you to use them correctly.
(Not that the scenario above is a 'good' idea.
It's just that I 'should' be able to do it
if I so choose)
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Roger Neth Jr
On 5/6/06, Eric Furman <[hidden email]> wrote:

> --- Peter Fraser <[hidden email]> wrote:
> > I was very surprised, that when I was installing
> > a 3.9 system, that you can use an empty root
> > password
> >
> > I accidentally entered a 'return' when it asked for
> > the
> > root password, so I entered a 'return" again when
> > I was asked to repeat the password, thinking that
> > a empty password would be denied, and I would be
> > asked
> > again.
>
> This is a feature, not a bug.
> And I'm not being sarcastic. :-)
> What if you have a test machine not connected
> to any network and is physically secure
> and you need to log on as root alot. It would
> be nice to not have to enter any password if
> you didn't want to. This is normal UNIX
> behaviour. The OpenBSD people aren't going
> to 'force' you to do everything securely.
> They just give you the means and tools
> to be so. It's up to you to use them correctly.
> (Not that the scenario above is a 'good' idea.
> It's just that I 'should' be able to do it
> if I so choose)
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

I remember what a pain it was on a Microsoft SBS2003 with advanced
password protection activated that I had to have a minimum amount of
password and numeric alpha mandatory on Administrator account. I
actually set up the root for a newbie without a password so he can
play with OpenBSD for the first time. This does not have a network
card and just for a newbie to play with.

rogern

John 3:16

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Jonathan Glaschke-2
In reply to this post by Eric Furman-2
On Sat, May 06, 2006 at 05:30:21PM -0700, Eric Furman wrote:

> --- Peter Fraser <[hidden email]> wrote:
> > I was very surprised, that when I was installing
> > a 3.9 system, that you can use an empty root
> > password
> >
> > I accidentally entered a 'return' when it asked for
> > the
> > root password, so I entered a 'return" again when
> > I was asked to repeat the password, thinking that
> > a empty password would be denied, and I would be
> > asked
> > again.
>
> This is a feature, not a bug.
> And I'm not being sarcastic. :-)
> What if you have a test machine not connected
> to any network and is physically secure
> and you need to log on as root alot. It would
> be nice to not have to enter any password if
> you didn't want to. This is normal UNIX
> behaviour. The OpenBSD people aren't going
> to 'force' you to do everything securely.
> They just give you the means and tools
> to be so. It's up to you to use them correctly.
> (Not that the scenario above is a 'good' idea.
> It's just that I 'should' be able to do it
> if I so choose)

Yes, and I think there is another point.
If administrators are so dump to use an emtpy password on internet
servers, it wouldn't be usefull to force a password.  Those people will
find enough other ways to make the system insecure..

Even OpenBSD is only as secure as the monky sitting in front of it.

Jonathan

--
 | /"\   ASCII Ribbon   | Jonathan Glaschke - Lorenz-Goertz-Strasse 71,
 | \ / Campaign Against | 41238 Moenchengladbach, Germany;
 |  X    HTML In Mail   | jabber: [hidden email]
 | / \     And News     | http://jonathan-glaschke.de/

[demime 1.01d removed an attachment of type application/pgp-signature]

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

no@spam@mgedv.net
In reply to this post by Jonathan Glaschke-2
> Think of somebody who burgles your house to steal your privat
> data.  When

*rofl* --> burgles your house to steal your privat data?
come on, before this happens your dead and your home-cinema is gone!

i'd bet, nobody is really interested in private data. the only
thing i can imagine is something like TANs etc...

and if someone comes into your house, he'll definitely doesn't
look for post-its with passwords. instead he'll steal the whole
box and satisfy his needs elsewhere.

this kind of protection only helps against your half-educated
small brother who's trying the 100th time to f* up your root-
account ;-)

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

no@spam@mgedv.net
In reply to this post by Peter Fraser-2
> I accidentally entered a 'return' when it asked for the
> root password, so I entered a 'return" again when
> I was asked to repeat the password, thinking that
> a empty password would be denied, and I would be asked
> again.
>

man, if you want to enter an empty password, do it! unix is
a system that will exactly DO what the admin tells it to do.
no yes/no checks, no ya sure boxes, maybe some warnings. if
things are obvious stupid (like newfs with more size than the
disk) they won't work. but if it's the admin's decisition
and it's possible, why not do it?

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Antonios Anastasiadis
In reply to this post by Peter Fraser-2
in fact, using an empty root password is a perfectly correct and smart
security practice.Don't tell that to anyone, as the openbsd guys are
trying to keep this technique for themselves.
A second step to secure your system is to post your machine's ip here.
Nodoby here believes in security through obscurity, don't we? :) :)

On 5/6/06, Peter Fraser <[hidden email]> wrote:
> I was very surprised, that when I was installing
> a 3.9 system, that you can use an empty root password
>
> I accidentally entered a 'return' when it asked for the
> root password, so I entered a 'return" again when
> I was asked to repeat the password, thinking that
> a empty password would be denied, and I would be asked
> again.

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Lars Hansson
In reply to this post by Jonathan Glaschke-2
On Sunday 07 May 2006 18:41, Jonathan Glaschke wrote:
> If administrators are so dump to use an emtpy password on internet
> servers, it wouldn't be usefull to force a password.

That's not necessarily dumb. If your location is physically secure and you
dont allow remote root logins there is no problem with having a  blank root
password, especially on a router or firewall that only runs a minimal number
of services.

---
Lars Hansson

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Wijnand Wiersma
On 5/8/06, Lars Hansson <[hidden email]> wrote:
> On Sunday 07 May 2006 18:41, Jonathan Glaschke wrote:
> > If administrators are so dump to use an emtpy password on internet
> > servers, it wouldn't be usefull to force a password.
>
> That's not necessarily dumb. If your location is physically secure and you
> dont allow remote root logins there is no problem with having a  blank root
> password, especially on a router or firewall that only runs a minimal number
> of services.

As far as I know: by default only ssh is a possible way in and guess what:

PermitEmptyPasswords
             When password authentication is allowed, it specifies whether the
             server allows login to accounts with empty password strings.  The
             default is ``no''.

So you don't need to disable remote root logins.

Wijnand

Reply | Threaded
Open this post in threaded view
|

Re: Empty root password

Peter Fraser-2
My surprise was not because of a perceived lack
of security, but rather that the "passwd" command
will not let you set any password to be the
empty password. (Yes, I know there are other
methods to force it)