Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!mips!spool.mu.edu!olivea!genie!udel!haven.umd.edu!uvaarpa!murdoch!astsun9.astro.Virginia.EDU!gl8f From: gl8f@astsun9.astro.Virginia.EDU (Greg Lindahl) Newsgroups: comp.org.eff.talk Subject: Re: Allow students to run password guessers? Was: Re: Student suspen... Message-ID: <1991Jun24.151726.16361@murdoch.acc.Virginia.EDU> Date: 24 Jun 91 15:17:26 GMT References: <1991Jun22.234109.25051@athena.cs.uga.edu> <1991Jun23.231749.25498@murdoch.acc.Virginia.EDU> <1991Jun24.041435.5423@athena.cs.uga.edu> Sender: usenet@murdoch.acc.Virginia.EDU Organization: Department of Astronomy, University of Virginia Lines: 39 In article <1991Jun24.041435.5423@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >This is getting ridiculous. Our policy is that students are *not* allowed >to obtain passwords without the consent of the password owner, by any means >whatever. But that's not what you said earlier: you said you didn't allow students to run COPS. Some password checkers don't tell you what passwords are when they crack them: they come back and say: "Well, I found 16 passwords in the dictionary, I would suggest that you avoid this system like the plague." Second, it seems to me (and I'm hardly a lawyer) that it's entirely legal for anyone to obtain another's password, as long as they don't intend to do anything nasty with it. It would be much more effective for you to run shadow password files than to restrict your users in arbitrary and silly ways. >I do not buy the idea that easy-to-guess passwords "deserve" to be stolen, Neither do I. >nor that it is legitimate to run a password guesser "to see if the system >is secure." Other tests, possibly, but not something that will give you >direct access to someone else's password. Running a password guesser doesn't necessarily give you direct access to a password. Even if it did, it is not illegal. >Even the Free Software Foundation notices if you call "crypt" more than a >few times (as when running a password guesser). Yup, because they're having security problems at the moment. But a "professional" cracker doesn't use the system crypt() anyway, so this policy isn't going to solve all your problems. The only way for you to insure a minimum level of password security is through user education, shadow password files, and administrator testing --- not by burying your head in the sand.