Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!bgsuvax!denbeste
From: denbeste@bgsuvax.UUCP (William C. DenBesten)
Newsgroups: comp.protocols.appletalk
Subject: Re: Limitations imposed by AppleShare's User Authentication Method
Message-ID: <6153@bgsuvax.UUCP>
Date: 15 Aug 90 17:12:24 GMT
References: <Added.Eam9PV200jZd83cE9c@andrew.cmu.edu>
Organization: Bowling Green State University B.G., Oh.
Lines: 21

From article <Added.Eam9PV200jZd83cE9c@andrew.cmu.edu>, by ADAMS@INTELLICORP.COM (Kevin Adams):
> I would like to comment on the restriction Apple places on the maximum length
> a password associated with an AppleShare server can be.  Currently, one can have
> only up to 6 characters.  From a security standpoint, this seems to be too few.

I think that this actually prevents a bigger problem:  I know how to
find out all the user names and passwords, given a users & groups
file.  If the passwords are the same as on the mainframe, the
mainframe security can be instantly and widely compromised.

To prevent this from happening at your site, do 3 things:

1) keep your server physically secure, so no one can reboot with a floppy to
copy your users & groups file.

2) don't leave copies of users and groups outside of your server folder.

3) keep all backups that contain users and groups secure.

1 & 3 are also important from the standpoint of protecting user files,
but we all know that, don't we :-).