__/ [Matt Probert] on Friday 23 December 2005 18:19 \__
> On Fri, 23 Dec 2005 14:08:41 +0000, Roy Schestowitz
> <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> __/ [Charles Sweeney] on Friday 23 December 2005 12:37 \__
>> > Jim wrote
>> >> I am using some php scripts that writes to different files, and the
>> >> files need a 666 chmod setting (read+write, read+write, read+write).
>> >> Are there any security issues involved in having xml or txt files on
>> >> my website chmod'ed to 666?
>> > Unless you keep sensitive information on your server, then there's
>> > nothing that can't be fixed by a reinstall and backup.
>> If you have a piece of Web-based software, be careful. If hacked (assuming
>> it allows the user to upload files) expect this case of hijacking to put
>> the entire Web server in jeopardy. Choose good software; choose
>> hard-to-crack passwords.
> Can we perhaps assist newbies by suggesting what constitutes a "hard
> to crack password"?
> As an example, easy to crack passwords are ANY word found in a
> standard dictionary
> More difficult passwords involve a combination of lower case and upper
> case letters and digits.
> The Probert Encyclopaedia - Beyond Britannica
Excellent source for common passwords. Combinations of terms therein too.
I happen to deal with accounts of University staff and students. In ~70%
of the cases, they use just a combination of words. Some of the passwords
I have come across you would not believe. No matter how much you encourage
them to select something crypic, they choose to be lazy or simply indif-
ferent, almost naive.
It is no wonder so many sites and machines continue to get hijacked. More
and more systems begin to force period password changes and introduce a
variety of rules including a dictionary lookup. Don't get me started on
the habits of writing passwords on paper notes. Set up a site without a
'fetch password using E-mail' feature and you'll have a support nightmare.