Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!hobbes.physics.uiowa.edu!news.iastate.edu!sharkey!fmsrl7!wreck
From: wreck@fmsrl7.UUCP (Ron Carter)
Newsgroups: comp.org.eff.talk
Subject: Re: Allow students to run password guessers?
Summary: Are you running short on distinctions?
Message-ID: <44260@fmsrl7.UUCP>
Date: 24 Jun 91 14:44:35 GMT
References: <1991Jun24.041435.5423@athena.cs.uga.edu>
Reply-To: wreck@fmsrl7.UUCP (Ron Carter)
Organization: Ford Motor Company, Scientific Research Labs, Dearborn, MI
Lines: 21

In article <1991Jun24.041435.5423@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes:
>This is getting ridiculous. Our policy is that students are *not* allowed
>to obtain passwords without the consent of the password owner, by any means
>whatever.

Can't you draw a distinction between:

a.)	Obtaining another user's password, and
b.)	Seeing if certain security-critical passwords are
	obtainable by dictionary search?

The first is definitely a problem if done other than accidentally,
the second is essential to the user knowing if their usage of the
system is likely to be disrupted or not.  It is arguable that if
#1 is accomplished accidentally as part of determining #2, that
it is not a harmful act.  It is certainly not malicious.

Why don't you just run COPS yourself every so often, and have it
send mail to the users whose passwords are easily broken?  You
won't have to worry about crackers using dictionary searches on
your system ever again.