Path: utzoo!attcan!uunet!seismo!ukma!tut.cis.ohio-state.edu!cs.utexas.edu!uwm.edu!bionet!agate!shelby!LINUS.MITRE.ORG!bede
From: bede@LINUS.MITRE.ORG
Newsgroups: comp.protocols.kerberos
Subject: RE: Why is initial user authentication done the way it is?
Message-ID: <9006150343.AA03896@max.mitre.org>
Date: 15 Jun 90 03:43:18 GMT
References: <9006150124.AA14075@ATHENA.MIT.EDU>
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 39


   Posted-Date: Thu, 14 Jun 90 21:24:14 EDT
   From: smb@ulysses.att.com
   Date: Thu, 14 Jun 90 21:24:14 EDT

   [ . . . ]

	   Support for optional extensions should be included.  In
	   particular, an option to protect against dictionary attacks on
	   /etc/passwd may be a desirable extension.

   [ . . . ]

At the risk of carrying the discussion off on a tangent:  the issue of
dictionary-based password attacks is, at many sites, moot.  For
example, we've rigidly enforced a rule here for about two years
prohibiting dictionary and various other "trivial" passwords for user
logins.  The muscle behind the policy is provided by a rather simple
password cracker I wrote, plus a modified version of passwd (and Real
Soon Now, kpasswd).

In a sense, support for extensions is already in Kerberos, just as it
is for passwd,  assuming you have the source code.  In our case, aside
from the locally-produced lookup code, the total modification to
(k)passwd amounts to less than 50 lines, but could be *much* less than
that, of course.

Regardless of the merits of the encryption/authentication scheme used,
it just makes sense to discourage trivial attacks right from the start,
if at all possible.


-Bede McCall

 Research Computing Facility
 MITRE Corp.          Internet: bede@mitre.org
 MS A114              UUCP: {decvax,philabs}!linus!bede
 Burlington Rd.
 Bedford, MA 01730    (617) 271-2839