This website is no longer maintained. Its content may be obsolete. Please visit http://home.cern/ for current CERN information.
Lionel Cons CN/DCI
Passwords are the primary security loophole on a system. If users have guessable passwords then ``bad guys'' can use their accounts without being detected. These intruders can cause damage to the individual user and also to other users. The use of security tools like Kerberos or shadow passwords are not sufficient since the ``crackers'' can still try to guess passwords.
The only really safe solution is to make users aware of the dangers and understand the following:
For more information on this subject, you can consult the CERN Security Handbook:
http://consult.cern.ch/writeup/security
However, some guessable passwords will always be used and conscientious system administrators should try to reduce the number of users with a guessable password. This is the purpose of the ``Crack service''.
crack is a password checker or, more properly, a password guesser. From a dictionary of ``common'' words (containing language dictionaries, car names, places...) and a set of rules (append a digit, uppercase first letter, substitute o by 0...), it checks if the result is a password currently in use.
A check on some 60 UNIX systems in CERN discovered correctly 28% of the passwords; 63 accounts had no password at all and 16% of those correctly guessed allowed further login to remote nodes with the same user-name and password!
crack consumes a lot of CPU time and is more efficient when operated centrally. That's why we will offer a central Crack service at CERN. This service is offered only to system administrators of UNIX machines at CERN. This is an optional service. However, it may become mandatory for some systems like the ones requesting incoming access from outside CERN or the ``important'' services.
For more information on how to use this service, please check the Crack service home page on the Web
http://wsspinfo.cern.ch/file/crack.html
or contact crack.support@cern.ch.