Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83 based; site houxm.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxt!houxm!gregbo
From: gregbo@houxm.UUCP (Greg Skinner)
Newsgroups: net.followup
Subject: guessing passwords
Message-ID: <1185@houxm.UUCP>
Date: Thu, 28-Mar-85 16:49:37 EST
Article-I.D.: houxm.1185
Posted: Thu Mar 28 16:49:37 1985
Date-Received: Fri, 29-Mar-85 01:27:43 EST
Organization: AT&T Bell Labs, Holmdel NJ
Lines: 21

Instead of disabling the account, why not just drop the line after the Nth try at
guessing.  There could also be a cache of recently tried account names, and a
routine to decrease N (the number of tries you can have for the account) upon re-
enabling of the line.  That way, a password cracker will not have a equal number of
tries to get the password, and will quit.  If he tries a random sampling of accounts
and passwords, a count can be made at the number of incorrect tries, and the line
dropped at the Nth try, and N decreased for the next try.

In general though, making it difficult for crackers to guess passwords is just as hard
(maybe even harder) than the actual guessing of passwords.  Except in cases where
access to the resources must be at a minimum (like in a military environment), it's
not worth it to add extra code to the passwd program to frustrate crackers.  Better
to just encourage people to use unguessable passwords, have them change theirs often,
and, if possible, generate random passwords for accounts.
-- 
			... hey, we've gotta get out of this place,
    			    there's got to be something better than this ...

Greg Skinner (gregbo)
{allegra,cbosgd,ihnp4}!houxm!gregbo
gregbo%houxm.uucp@harvard.arpa