Xref: utzoo alt.security:740 comp.protocols.tcp-ip:11531 alt.sys.sun:941
Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cunixf.cc.columbia.edu!shenkin
From: shenkin@cunixf.cc.columbia.edu (Peter S. Shenkin)
Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun
Subject: Re: anonymous ftp, and the dangers thereof
Message-ID: <1990Jun3.152118.4758@cunixf.cc.columbia.edu>
Date: 3 Jun 90 15:21:18 GMT
References: <1990Apr20.192233.4092@utzoo.uucp> <6721@blake.acs.washington.edu> <BT+2NO5xds13@ficc.uu.net> <PMY$TW?@b-tech.uucp>
Reply-To: shenkin@cunixf.cc.columbia.edu (Peter S. Shenkin)
Organization: Columbia University
Lines: 33

In article <PMY$TW?@b-tech.uucp> zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) writes:
>All this emphasis on turning off tftp and waiting for shadow password 
>files may be clouding the simpler and more effective solution.  Force 
>users to pick good passwords!  Something with some non-alpha 
>characters and mixed case (not the first letter capital).  

This suggestion has been mentioned many times on the net, but it also has
a problem.  If passwords are non-mnemonic, unpronounceable and non-suggestive 
(as all "good" passwords are), then they are easy for users to forget;  not 
daily users, but occasional users, such as, say, a biology graduate student 
who logs on once a month to do a DNA sequence search.  Such users often
constitute the vast majority of users on departmental systems.  These users 
then *WRITE DOWN* their passwords, compromising security differently, but 
perhaps as severely, as is now the case.

For a while I had an account on a VMS system which, in the interest of
security, expired my password periodically, and required me to change it.
I mostly used a UNIX system, but had to log into the MicroVAX occasionally
to access a connected array processor;  I was an occasional user.  Keeping
track of my password became such a pain that for a while I wrote it down
and kept it in an unobrusive place, though I didn't like doing that.  
Evenually I discovered that I could change it, then change it right back
to the usual, and the machine wouldn't complain.  I felt a bit guilty
putting something over on the poor machine, but I feel I saved it from itself.
Its security measures were actually compromising security.

Not that I have answers....

	-P.
************************f*u*cn*rd*ths*u*cn*gt*a*gd*jb**************************
Peter S. Shenkin, Department of Chemistry, Barnard College, New York, NY  10027
(212)854-1418  shenkin@cunixc.cc.columbia.edu(Internet)  shenkin@cunixc(Bitnet)
***"In scenic New York... where the third world is only a subway ride away."***