On 5/4/20 10:09 AM, Jeff Mincy wrote:
The best practice is to not use common or continue to use exposed passwords. Scripts are probably trying to log into your ssh using those passwords.
I completely agree on both accounts.
I think you are worrying about the wrong thing.
I obviously disagree. I'm already worrying about not using exposed passwords. I'm also worried about creating a list of plain text passwords.
I think you're only worrying about the former and not giving any consideration to the latter.
The exposed passwords being used in the extortion emails are already widely known and have already been exposed.Yes, the example you cited, and many others, are quite well known. But those aren't the only exposed passwords.
If you are still using the exposed password then you've got bigger problems.
I completely agree that (re)using exposed passwords is a problem. Bigger or not is a different debate.
If you are no longer using the exposed password then disclosing the previously used password further is not going to make any difference.
I disagree. Storing any plain text passwords is a bad practice and should be avoided. As such, storing plain text passwords /does/ make a difference.
But, if you are really worried about it, don't write a spamassassin rule looking for your exposed passwords in the subject.
Which is why I have not. It's also why I asked if there was a way to compare hashed text. To quote:
"Is there any way to compare hashed strings of text?"I'll note that my question hasn't been answered. Instead, people have focused on something not germane to my question.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
