August 29, 200817 yr I was reading some post on security for the unRAID and decided that I should add/change to a more difficult password to login into my unRAID. I read that passwords should not have the following characters: | & ; ( ) < > space tab ; $ # * @ (I pulled this info from http://lime-technology.com/forum/index.php?topic=974.0 and http://lime-technology.com/wiki/index.php?title=FAQ#What_characters_are_not_legal_in_an_unRAID_password.3F Based on this I would think one could use the following though: - _ = + ^ ^ / ? % ! ~ , [ ] { } (maybe someone could clear this up) (I am sure I missed a few) Not being 100% sure if those characters could be used or not I decided to stick to A-Z, a-z, and 0-9 (I took a chance on the capital letters, seeing I could not find a post that specifically said don't use upper case in the password) I used a password generator to create a password which was 50 characters long with the constraints of using A-Z, a-z, and 0-9 (if there are other characters that can be used I would of included those with my constraints and will include them when I know which ones can be used. Once I had a generated password and I saved it to a secure location and then entered it into unRAID twice and hit save. Now I am no longer able to get into my own unRAID. (not exactly what my goal was ) I would think the issue is that unRAID has a limitation on the length allowed for the password. I could try entering the pass with removing one character at a time hoping to get in, but if upper case is not allowed, then I would be at it for a while. Here is the password I used: 0M9bleSb4BRrWtAWIfWa7ASxX7SXYxKGK7cbDyUV6kWxDbgtO0 (I changed around a few digits for my protection and will completely change the password when I get back in) Thanks for any help on this.
August 29, 200817 yr I reading some post on security for the unRAID and decided that I should add/change to a more difficult password to login into my unRAID. I read that passwords should not have the following characters: | & ; ( ) < > space tab ; $ # * @ (I pulled this info from http://lime-technology.com/forum/index.php?topic=974.0 and http://lime-technology.com/wiki/index.php?title=FAQ#What_characters_are_not_legal_in_an_unRAID_password.3F Based on this I would think one could use the following though: - _ = + ^ ^ / ? % ! ~ , [ ] { } (maybe someone could clear this up) (I am sure I missed a few) Not being 100% sure if those characters could be used or not I decided to stick to A-Z, a-z, and 0-9 (I took a chance on the capital letters, seeing I could not find a post that specifically said don't use upper case in the password) I used a password generator to create a password which was 50 characters long with the constraints of using A-Z, a-z, and 0-9 (if there are other characters that can be used I would of included those with my constraints and will include them when I know which ones can be used. Once I had a generated password and I saved it to a secure location and then entered it into unRAID twice and hit save. Now I am no longer able to get into my own unRAID. (not exactly what my goal was ) I would think the issue is that unRAID has a limitation on the length allowed for the password. I could try entering the pass with removing one character at a time hoping to get in, but if upper case is not allowed, then I would be at it for a while. Here is the password I used: 0M9bleSb4BRrWtAWIfWa7ASxX7SXYxKGK7cbDyUV6kWxDbgtO0 (I changed around a few digits for my protection and will completely change the password when I get back in) Thanks for any help on this. First, upper case characters are allowed. Second, this is a Linux question, not specific to unRAID. So, google is your friend. According to /etc/login.defs MD5_CRYPT_ENABLE is set to "yes" Apparently, MD5 Passwords are limited to 255 characters. However, since you are logging in via the web interface, who knows how much space Tom allocated in his program. Generally, password lengths greater than 8 characters are discouraged. Passwords of mixed case and characters sets are allowed. Some password characters might be difficult to enter via a web-interface since it encodes some characters. Some are not legal for use in protecting SAMBA shares since windows can't handle them. Your use of Upper and Lower case letter and numbers is fine. historically, the "#" character was defined at the time of login to be the character erase character. Today, the backspace key does the same. Don't use the backspace key as part of your password. You might try logging via telnet, and at its prompt typing your long password. (or pasting via a right mouse button) Once in, type passwd and respond once more with the old password, and then enter something a little shorter at the prompts for the new. At worst case if you cannot log in, power down the server, then move the flash drive to your PC. In the "config" folder you will find a "passwd" file. Remove it, or rename it to passwd_old. Then put the flash drive back in the server and power up. You will be faced with a full parity check because your shut-down was not clean, but you should be able to log in with no password and start fresh. Joe L.
August 29, 200817 yr Author Thanks for the response Joe. Seeing that upper case is allowed, I went ahead and set to the task of starting with the first 14 characters as the password and added one character until I gained access (I tried telnet but it kept timing out). Currently the magic number/length via the web interface is 40, so I was 10 over the limit for Tom's allocated amount in his program. I will stick to A-Z, a-z, and 0-9 and stay below 40 characters. I am not sure if I will play around with any of the other characters. Whys is passwords longer than 8 characters discouraged. (could I run into more or bigger issues down the road if I go with a password longer than 8 characters? The best bit strength I can seem to get with a max 8 character password is around 45, but when going to 40 I can get up to 235 (this rating is something the password generator is providing) Thanks again for the help
August 29, 200817 yr The problem with extremely long passwords is that they become LESS secure than short ones. The issue is not a technical one, but a human one. Reasonable length passwords can be memorized, long seemingly-random ones cannot. A 12 character password that you can remember is more likely to secure a system than a 100 character password you write down on a sticky and place under your keyboard. Yeah, I see that you are saving it to a "secure location" but others may not, so it is something to keep in mind. Bill
August 29, 200817 yr I won't even try to guess why you are setting up such long and impossible to remember passwords. All I can think of is you have some very sensitive data on your server. I should mention that all ANYBODY would need is a different flash drive with just about any live distribution of linux to completely defeat your longer password. (Oh, they need physical access to the server too, but you probably have it in hardened bunker, hidden under some mountain, protected by armed guards and a pack of hungry Rottweilers. ) The only way the longer password will be useful if a brute force attack on your server were to occur. Are your LAN users that persistent? As it is, you don't know your own password and must keep it in some other location. To me, that is just like writing the password on a piece of paper you keep under the keyboard. (easy for others to find and use) If you want a reasonably secure password, use both numbers and letters, and a mix of upper and lower case, and make it something you remember. Example: Use a catchy phrase and create a password from the first letter of each word followed by the numeric length of each. An example phrase might be "I like Ice Cream in the Summer" The result for this trivial example is: I1l4I3C5i2t3S6 Trust me, that is not in any dictionary, and about as secure as you will need for most situations. At least it is something you can commit to memory. You can create the phrase from anything you can remember, your family member's names, your hobby, a film or song title,etc. Then... don't write the password down anywhere... And don't tell me where your hardened bunker is located either. The reason for the 8 character max on older versions of Linux/unix is that only the first 8 characters of the password were used, even if you typed more. Many utilities simply ignored the extra characters. Today's versions of Lniux allow much longer passwords, but some utilities are still limited in what they can handle. Joe L.
August 29, 200817 yr Author The problem with extremely long passwords is that they become LESS secure than short ones. The issue is not a technical one, but a human one. Reasonable length passwords can be memorized, long seemingly-random ones cannot. A 12 character password that you can remember is more likely to secure a system than a 100 character password you write down on a sticky and place under your keyboard. Yeah, I see that you are saving it to a "secure location" but others may not, so it is something to keep in mind. Bill Bill thanks for the input. Both you and Joe make a great point regarding the 12 or 8 character passwords that one can remember verses a 100 character password that could be carelessly placed on a desk or in a drawer. No password would be secure if it were written down and placed conveniently for retrieval with out lock and key and next to the computer (i guess lock and key is even questionable). This situation (as you mentioned will not be my issue). My concern is someone hacking my network and then trying to hack unRAID. unRAID does not time out after a certain amount of attempts or at least it does not look like it does, so someone could write a script to plug in any combination of characters to hack the system. I guess if there is a setting for getting unraid to timeout for a certain period in conjunction with a short password that is memorized would or could be better than a long password with no time out after a certain amount of attempts. I guess I am a little more nervous then you guys. I am not a hacker and struggle to think like a hacker. I do have private data but it is not earth shattering and surely won't change the world if it leaks out, but if a hacker brakes in it surely will change my world, which is not something I want to happen. I have the usual network stuff routers, wifi, and wireless equipment (not to mention the great and impenetrable windows xp with java running every now and then) on my network but it seems that there are always new hacks out there to exploit someone, somewhere. I also here a lot of people using one password for all logins which is also very dangerous which I can't say I have not been guilty of. I do not have a different password for every thing on the web but I still struggle to remember the ones I have. I use a program to keep my passwords, which has a master password which I can change and do change (the program uses AES encryption). I am sure their are comments for my method also, and I am open for them. I am just an average guy trying to take steps towards protecting my personal files, family pics, scanned bills, movies, songs, and that type stuff.... you know the high level security info that I keep in that hardened bunker that I dare not tell Joe about its location . I sort of like the "I like Ice Cream in the Summer"... maybe I will use that. Thanks aging for you guys bringing some perspective to my paranoia.
August 29, 200817 yr The problem with extremely long passwords is that they become LESS secure than short ones. The issue is not a technical one, but a human one. Reasonable length passwords can be memorized, long seemingly-random ones cannot. A 12 character password that you can remember is more likely to secure a system than a 100 character password you write down on a sticky and place under your keyboard. Yeah, I see that you are saving it to a "secure location" but others may not, so it is something to keep in mind. Bill Bill thanks for the input. Both you and Joe make a great point regarding the 12 or 8 character passwords that one can remember verses a 100 character password that could be carelessly placed on a desk or in a drawer. No password would be secure if it were written down and placed conveniently for retrieval with out lock and key and next to the computer (i guess lock and key is even questionable). This situation (as you mentioned will not be my issue). My concern is someone hacking my network and then trying to hack unRAID. unRAID does not time out after a certain amount of attempts or at least it does not look like it does, so someone could write a script to plug in any combination of characters to hack the system. I guess if there is a setting for getting unraid to timeout for a certain period in conjunction with a short password that is memorized would or could be better than a long password with no time out after a certain amount of attempts. I guess I am a little more nervous then you guys. I am not a hacker and struggle to think like a hacker. I do have private data but it is not earth shattering and surely won't change the world if it leaks out, but if a hacker brakes in it surely will change my world, which is not something I want to happen. I have the usual network stuff routers, wifi, and wireless equipment (not to mention the great and impenetrable windows xp with java running every now and then) on my network but it seems that there are always new hacks out there to exploit someone, somewhere. I also here a lot of people using one password for all logins which is also very dangerous which I can't say I have not been guilty of. I do not have a different password for every thing on the web but I still struggle to remember the ones I have. I use a program to keep my passwords, which has a master password which I can change and do change (the program uses AES encryption). I am sure their are comments for my method also, and I am open for them. I am just an average guy trying to take steps towards protecting my personal files, family pics, scanned bills, movies, songs, and that type stuff.... you know the high level security info that I keep in that hardened bunker that I dare not tell Joe about its location . I sort of like the "I like Ice Cream in the Summer"... maybe I will use that. Thanks aging for you guys bringing some perspective to my paranoia. Your goal is a good one, but all you need is one computer on your lan to be compromised, and they all are. The "login" password to get to the management web page of unRAID, or to log in via telnet is only one part of the equation. All of the SAMBA shares must be also protected, otherwise, anybody can simply get to the data through SAMBA and your shared drives. Every PC on your LAN must be equally hardened, otherwise, if they have access to a shared drive on your server, you have some exposure if they can get to a command prompt on the PC. Good luck.... Joe L.
August 29, 200817 yr (I pulled this info from http://lime-technology.com/forum/index.php?topic=974.0 and http://lime-technology.com/wiki/index.php?title=FAQ#What_characters_are_not_legal_in_an_unRAID_password.3F Finally! You should get some kind of award! I believe that you are the very first user so far, to actually refer to and quote from the FAQ! I realize the FAQ wasn't completely satisfactory, and it certainly is still very incomplete. But I'm going to add your research to that FAQ entry, and refer to the other comments made here, plus a link to this thread.
August 29, 200817 yr Author The problem with extremely long passwords is that they become LESS secure than short ones. The issue is not a technical one, but a human one. Reasonable length passwords can be memorized, long seemingly-random ones cannot. A 12 character password that you can remember is more likely to secure a system than a 100 character password you write down on a sticky and place under your keyboard. Yeah, I see that you are saving it to a "secure location" but others may not, so it is something to keep in mind. Bill Bill thanks for the input. Both you and Joe make a great point regarding the 12 or 8 character passwords that one can remember verses a 100 character password that could be carelessly placed on a desk or in a drawer. No password would be secure if it were written down and placed conveniently for retrieval with out lock and key and next to the computer (i guess lock and key is even questionable). This situation (as you mentioned will not be my issue). My concern is someone hacking my network and then trying to hack unRAID. unRAID does not time out after a certain amount of attempts or at least it does not look like it does, so someone could write a script to plug in any combination of characters to hack the system. I guess if there is a setting for getting unraid to timeout for a certain period in conjunction with a short password that is memorized would or could be better than a long password with no time out after a certain amount of attempts. I guess I am a little more nervous then you guys. I am not a hacker and struggle to think like a hacker. I do have private data but it is not earth shattering and surely won't change the world if it leaks out, but if a hacker brakes in it surely will change my world, which is not something I want to happen. I have the usual network stuff routers, wifi, and wireless equipment (not to mention the great and impenetrable windows xp with java running every now and then) on my network but it seems that there are always new hacks out there to exploit someone, somewhere. I also here a lot of people using one password for all logins which is also very dangerous which I can't say I have not been guilty of. I do not have a different password for every thing on the web but I still struggle to remember the ones I have. I use a program to keep my passwords, which has a master password which I can change and do change (the program uses AES encryption). I am sure their are comments for my method also, and I am open for them. I am just an average guy trying to take steps towards protecting my personal files, family pics, scanned bills, movies, songs, and that type stuff.... you know the high level security info that I keep in that hardened bunker that I dare not tell Joe about its location . I sort of like the "I like Ice Cream in the Summer"... maybe I will use that. Thanks aging for you guys bringing some perspective to my paranoia. Your goal is a good one, but all you need is one computer on your lan to be compromised, and they all are. The "login" password to get to the management web page of unRAID, or to log in via telnet is only one part of the equation. All of the SAMBA shares must be also protected, otherwise, anybody can simply get to the data through SAMBA and your shared drives. Every PC on your LAN must be equally hardened, otherwise, if they have access to a shared drive on your server, you have some exposure if they can get to a command prompt on the PC. Good luck.... Joe L. I have drive shares off and flash shares off. I do have user shares on which is I guess what you are referring to as SAMBA shares. (correct me if I am wrong please). I do not have passwords on seeing I have struggled to get that working with Windows XP. Seems I cannot map a network drive if I have passwords on the user shares. I did use some long user share names which I may be wrongly assuming that those are not distributed names (visible to anyone hooked to the network) I have looked for a simple fix on this but the last time I looked there were no simple fixes to get password protection for user shares working with xp. I definitely want to get that working soon. Rob, Thanks for adding this post to the wiki. I hope it will help others. I like to cross reference the other links so that others that are looking know where to go to get more info and so I know where to go when I come back to this post down the road.
August 29, 200817 yr Good security is all about avoiding wide open holes, not gluing shut the front door when the back door is wide open. A series of low fences will keep out 99.999% of those that try. In a house, it's all about locking doors/windows, having good lighting, and neighbors that know who you are. For a computer, it's controlling physical access and having some reasonable security for your systems and network. Encryption is the other thing that you should consider if the data is really sensitive. Bill
Archived
This topic is now archived and is closed to further replies.