Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!think.com!paperboy!snorkelwacker.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.misc
Subject: Re: (In)security of passwords
Message-ID: <JIK.91Mar29140950@pit-manager.mit.edu>
Date: 29 Mar 91 19:09:59 GMT
References: <1097@gtenmc.UUCP> <1991Mar26.191052.4620@chinet.chi.il.us>
	<1046@hrshcx.csd.harris.com>
Sender: news@athena.mit.edu (News system)
Organization: Massachusetts Institute of Technology
Lines: 38
In-Reply-To: steved@hrshcx.csd.harris.com's message of 28 Mar 91 17:38:55 GMT

In article <1046@hrshcx.csd.harris.com> steved@hrshcx.csd.harris.com (Steve Daukas) writes:
   I have worked at several places where password expiration was the norm.  
   In just about every case, one of three things happened:

   1) the user enters the new password, and then changes it back asap;

   2) the user has two passwords that are toggled between;

It is possible, nay easy, to write password expiration code that
eliminates both of these problems.  You keep a list of n previous
passwords (where n is large), or of the encrypted strings
corresponding to n previous passwords, and don't allow the user to use
any of his previous passwords.

Granted, if the user knows what n is, he can change his password that
many times until he gets back to the one he really wants.  You can
assume that this will happen infrequently, or you can restrict the
password-changing program so that each user can only change his
password a limited number of times in any time period, to prevent this
cycling.

   3) in the case of computer generated passwords, many post-it notes
      can be seen either on the terminal itself, desktop, inside a drawer, etc.

Computer generated passwords are a different question from password
expiration.  All the same, this problem is solveable too.  Either
don't computer generate passwords, or generate pronounceable,
rememberable passowrds.

I believe that Multics did all of the above.

I'm not advocating password expiring, just pointing out that these are
not insurmountable problems with it.

Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8085			      Home: 617-782-0710