Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!mgnetp!ihnp4!houxm!houxz!vax135!cornell!uw-beaver!tektronix!hplabs!sdcrdcf!sdcsvax!akgua!mcnc!rti!rti-sel!trt
From: trt@rti-sel.UUCP
Newsgroups: net.unix-wizards
Subject: Re: more secure login
Message-ID: <1134@rti-sel.UUCP>
Date: Thu, 12-Jul-84 19:40:27 EDT
Article-I.D.: rti-sel.1134
Posted: Thu Jul 12 19:40:27 1984
Date-Received: Wed, 18-Jul-84 03:29:05 EDT
References: utzoo.4059 <24@amd.UUCP>
Lines: 20

If your phone lines are so bad that more than three login attempts
are needed, I shudder at the carnage that must ensue
once you do get logged in!

I suppose Phil Ngai/Larry Tepper could check for apparently trashed input
and not count such against you.
That is better than weakening their login security,
which is after all the last chance to keep some random
from logging into the system and becoming superuser.

Some other security details that should be considered:
* Beware of giving out the external password over the phone!
* It would be nice to permit the "old" external password (with a warning),
so it can be changed regularly without causing too much grief.
* Failed-attempt logging should probably be implemented by Someone Else.
Naive logging might result in someone's password being
published as an "invalid login name".
Sophisticated logging can be worse, because if something awful happens
and it was logged and you overlooked it ... bye bye system administrator.
	Tom Truscott