Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!spool.mu.edu!olivea!bbn.com!cosell
From: cosell@bbn.com (Bernie Cosell)
Newsgroups: comp.org.eff.talk
Subject: Re: Passwords
Message-ID: <64654@bbn.BBN.COM>
Date: 14 Jun 91 14:40:48 GMT
Article-I.D.: bbn.64654
References: <14907.28501E2D@fidogate.FIDONET.ORG> <1991Jun11.221113.14213@athena.cs.uga.edu>
Sender: news@bbn.com
Lines: 33

mcovingt@athena.cs.uga.edu (Michael A. Covington) writes:

}In article <14907.28501E2D@fidogate.FIDONET.ORG> Cyrano.De@f111.n125.z1.FIDONET.ORG (Cyrano De) writes:
}>Forgive me for jumping in mid-stream, but why would a person want to keep changing passwords?  I'm not being fasicious (is that *darn* word spelled right?), just naive and paranoid (both at once!).
}>

}The main reason for changing passwords is that eventually, your password
}may fall into the wrong hands without your knowing it. A common trick
}is to obtain copies of /etc/passwd files from UNIX systems. The passwords
}on them are encrypted, but password-guessing programs (relatively slow)
}can be used to crack some of them.

Yeah, but this is really muddle-headed reasoning, and in fact even the
rainbow book on password maintenance is annoyingly non-logical about it.

Generally, security considerations must flow from an evaluation of the
threat, the cost of the change, the cost of a penetration, etc.  In
this case, there is this big non-quantifiable "article of faith": that
one should pick some interval, totally at random as far as I can tell,
and compel folks to change their passwords at least that often.  

Unlike other security matters [e.g., length of the password, or
disallowing words from /usr/dict/words and such], there is apparently
no way, and no need, to justify the interval chosen...  would changing
twice as often be more prudent?  would changing only half as often be
an unacceptable risk?  As we move to a world where security *ought*to*
ever more be based on real, concrete analysis, I find myself more and
more skeptical of doing things based on vague fears [and then doing
them based NOT on an engineering analysis, but rather on doing them
'enough' to assuage the discomfort of the administrators]  seems like a
lousy way to be approaching the whole matter of computer security...

  /Bernie\