Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!boingo.med.jhu.edu!haven!ni.umd.edu!uc780.umd.edu!cs450a03 From: cs450a03@uc780.umd.edu Newsgroups: comp.misc Subject: RE: (In)security of passwords Message-ID: <29MAR91.18505428@uc780.umd.edu> Date: 29 Mar 91 18:50:54 GMT References: <1097@gtenmc.UUCP> <1991Mar26.191052.4620@chinet.chi.il.us> Sender: usenet@ni.umd.edu (USENET News System) Organization: The University of Maryland University College Lines: 28 Nntp-Posting-Host: uc780.umd.edu Johnathan Kamens writes: >It is possible, nay easy, to write password expiration code that >eliminates both of these problems. You keep a list of n previous >passwords (where n is large), or of the encrypted strings >corresponding to n previous passwords, and don't allow the user to >use any of his previous passwords. Er, yes... wonderful. May I humbly point out that a really good password is a work of art? I'm not going to put in the effort to come up with a real beauty if I know I'll have to give it up based on somebody else's time table. For example I still remember, with fondness: :I9"J.%I9 That one has high mnemonic value (once you realize what it says), but is not too likely to be stumbled across at random. [Incidentally, that particular password revealed that a recent sun os revision was sending passwords around in plaintext at some level -- the suns were barfing on the : when I tried to change it, though login worked fine.] Compare that with the sort of junk I throw at machines that force me to change my password regularly: foobar Tell me why I should bother coming up with a password that's going to take me a day to figure out how to remember if I'm going to have to toss it (a) on short notice, and (b) at an arbitrary time. Raul Rockwell