Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!decwrl!pa.dec.com!decuac!grebyn!escom!al
From: al@escom.com (Al Donaldson)
Newsgroups: comp.unix.wizards
Subject: Re: new password idea
Message-ID: <1991Apr26.171549.10502@escom.com>
Date: 26 Apr 91 17:15:49 GMT
References: <1991Apr24.004539.3881@mp.cs.niu.edu> <14655@ulysses.att.com> <1991Apr25.154954.14372@chinet.chi.il.us>
Organization: ESCOM Corporation
Lines: 24

>>}      On some of our non-UNIX systems we use a security package that has
>>} another useful feature:  after a certain number of bad passwords are
>>} given consecutively for a logonid, the logonid is suspended.

Once when I was testing someone's operating system, I thought it
would be interesting to find out what really happen when I exceeded
the bad password count for root.  So I just sat there at the console
blindly typing random junk for the root password.  After a small
number of tries (less than 10), it made me root.

What I think happened was that on this release a novice maintenance
programmer made a bad decision and handled an error condition by
starting a shell.  ("Well, I don't know what ELSE to do, and he
DID say he wanted to be root....")

Insufficient testing, wrong people working on critical code, and
too many damn bells and whistles.  There is something to be said
for simplicity in critical programs like login.  Specially if
the vendor doesn't have time to test every release extensively
and document it completely (or release the code).

Al

It's 10pm.  Do you know what your system does..?