From: utzoo!decvax!cca!Michael.Young@Cmu-10a@sri-unix
Newsgroups: net.unix-wizards
Title: Re: efficiency of /etc/passwd lookup
Article-I.D.: sri-unix.4088
Posted: Thu Oct 28 02:33:25 1982
Received: Fri Oct 29 00:48:55 1982

From: Michael Wayne Young <Michael.Young@Cmu-10a>
Date: 26 October 1982 1216-EDT (Tuesday)
I'm not sure I agree with the statement that you should allow ONLY
those specific passwords.  The 'passwd' programs I've seen warn to
that effect, but after 4 or 5 tries at something it would reject, it
gives up.  I think a better approach is just to not let anyone but
user foo get user foo's encrypted password.  Still, I DO think it's
essential to warn the naive about the silly passwords (like those in the
"Case History") -- most naive users won't have enough nerve to disregard
what the passwd program says 4 times in a row.

When you say the "Kernelized Secure UNIX" project -- do you mean the
"UCLA Unix Security Kernel"?  If so, they had NO interest in dealing with
passwords -- the paper (CACM Feb. 80) discusses their effort at proving
the kernel itself secure.  It in fact leaves out of the discussion those
"trusted processes" that we all know and love.

Nonetheless, I agree that library interfaces are the way to go: if I were
dealing with an old V6 system, this entire conversation would be inane
because of the amount of code that would need fixing.

			Michael