Chris's Wiki :: blog/sysadmin/PasswordChangeNotes Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/PasswordChangeNotes?atomcommentsDWiki2010-09-07T03:34:06ZRecent comments in Chris's Wiki :: blog/sysadmin/PasswordChangeNotes.By Chris Siebenmann on /blog/sysadmin/PasswordChangeNotestag:CSpace:blog/sysadmin/PasswordChangeNotes:bd9341835b18f1052b39732246903db881598f02Chris Siebenmann<div class="wikitext"><p>We have too many machines for me to use different passwords on even
different classes of isolated machines; there's only so many passwords
I can sensibly remember, and I am biased towards convenience over absolute
security.</p>
<p>(After all, if I cared about absolute security I would already be using
one-time passwords of some sort, both for my regular account and for
root access. Sometimes I think that this would be great, and then I
remember that I would strangle myself, never mind my co-workers.)</p>
<p>In good news, we don't use our own passwords to gain root access so
knowing my password would get a pen tester only marginally further
towards straightforward root access. I don't think that there is
anything truly dangerous that my account has direct access to or
powers over, although I could be wrong; it's sadly easy for things
to slip through the cracks.</p>
</div>2010-09-07T03:34:06ZFrom 173.206.100.3 on /blog/sysadmin/PasswordChangeNotestag:CSpace:blog/sysadmin/PasswordChangeNotes:19b3a21f6711361c36d5f260bd91842e63b0b882From 173.206.100.3<div class="wikitext"><p>I am a professional pen tester. FYI: We love sysadmins who use the same password everywhere. :-)</p>
<p>Using a different password for your workstation is enough to make an attackers life more difficult. If an attacker compromises your workstation they will have access to your sshkeys, but if you are careful with what you put in sudoers the attacker will not instantly have root access on all of your systems.</p>
</div>2010-09-06T11:50:16Z