Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/3/84; site talcott.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!panda!talcott!jak
From: jak@talcott.UUCP (Joe Konstan)
Newsgroups: net.followup
Subject: Re: Hackers at dutesta (with solution)
Message-ID: <364@talcott.UUCP>
Date: Sat, 16-Mar-85 11:27:01 EST
Article-I.D.: talcott.364
Posted: Sat Mar 16 11:27:01 1985
Date-Received: Sun, 17-Mar-85 05:59:40 EST
References: <317@dutesta.UUCP>
Organization: Harvard University
Lines: 25

> They namely did that with some knowledge of how people choose there passwords.
> It seems to be very difficult for students and staff here to think of 
> passwords which are hard to guess.

*** REPLACE THIS LINE WITH YOUR PASSWORD ***

I don't see why there should be any difficulty in choosing passwords.  If
the general guideline of not picking anything that could be found in
/usr/dict/words, and not picking immediately available public info is
adhered to, passwords should be unguessable.

For example, I had a password of $SR#>PU! for a long time, and I doubt
anyone ever did or would guess its significance (CAPS lock for a HASP
command).

What I think is more dangerous is allowing externally available
computers to have passwordless accounts.  This can make access really
easy.  Also, a better solution might be storing an incorrect count, and
disabling an account for 24 hours or so if 10 incorrect passwords were
entered in a row.  We've had this at times here, and I know of no
problems other than with people who leave their forst names, or other
similar stuff, as passwords.

Mithrandir
jak@talcott