Path: utzoo!attcan!uunet!cs.utexas.edu!chinacat!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.sysv386 Subject: Re: SCO doesn't sell UNIX Message-ID: <18805@rpp386.cactus.org> Date: 11 Dec 90 13:16:21 GMT References: <2755CECE.4502@tct.uucp> <2332@cdin-1.UUCP> <1990Dec1.223750.16286@NCoast.ORG> <275A9A50.3F3F@tct.uucp> <531@camco.Celestial.COM> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cafe and BBS Service Lines: 27 X-Clever-Slogan: Recycle or Die. In article <531@camco.Celestial.COM> bill@camco.Celestial.COM (Bill Campbell) writes: >I would love to see SCO UNIX available, not with 'relaxed' C2 >security, but with NO C2 security. Shadow passwords are probably >a good idea, but unnecessary if you use good passwords in the >first place (not your spouse's name, birthday...). Most security >problems are caused by lazy, incompetent system administrators, >not by the operating system. Anyone how believes this has never read Appendices C and F out of the DoD "Password Management Guidelines". The difference between a system with shadowed passwords and non-shadowed passwords being cracked is many orders of magnitude. Think for a moment about a college network of say, 100 IBM S/6000's. Using whatever benchmark results we have today, that is about 2,500 MIPS. If a system in the 3 - 5 MIPS range can produce 1,000 UNIX style encryptions per second, we should be able to get over 500,000 encryptions per second on our little network. Now have a shadow password system that turns your account off after 100 failures. If you reenable the account once per day (after a long night of hacking ;-), you get 864 seconds per encryption, or a difference of 432,000,000 to 1. That's almost 9 orders of magnitude. Which means that =your= password must come from a set which is almost 1,000,000,000 times larger than mine - just to be just as secure. -- John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 Domain: jfh@rpp386.cactus.org