Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site mecc.UUCP
Path: utzoo!decvax!bellcore!ulysses!mhuxr!mhuxn!ihnp4!mecc!sewilco
From: sewilco@mecc.UUCP (Scot E. Wilcoxon)
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <417@mecc.UUCP>
Date: Mon, 10-Feb-86 10:56:05 EST
Article-I.D.: mecc.417
Posted: Mon Feb 10 10:56:05 1986
Date-Received: Tue, 11-Feb-86 04:49:06 EST
References: <974@decwrl.DEC.COM>
Reply-To: sewilco@.UUCP (Scot E. Wilcoxon)
Distribution: na
Organization: MN Ed Comp Corp, St. Paul, MN
Lines: 26
Summary: Several systems have been doing it for years.

In article <974@decwrl.DEC.COM> moroney@jon.DEC (Mike Moroney) writes:
>>...
>>be to have the login program simply disable the ability to log in
>>successfully after a number of attempts, without notifying the user.
>>...
>>	Andrew Tannenbaum   Interactive   Boston, MA   617-247-1155
>
>VMS V4 already has this. (Lots of other security goodies, too)
>

CDC's NOS has had that for five years.  I think I also remember MULTICS
having it for much longer than that.

We used to have a large CDC machine for hundreds of high schools to use.
One of the things I did to reduce foolishness was to write a little
program which reported the time (hours, days, years) required to go
through all the combinations on a password.  I then made the source
public and rather well-known in that machine.  All the variables were
clearly documented so people could try different password lengths,
retry times, etc.  I was told by several kids that before they looked
at that program they hadn't realized the huge number of possible
passwords.
-- 

Scot E. Wilcoxon  Minn. Ed. Comp. Corp.            quest!mecc!sewilco
45 03 N / 93 15 W   (612)481-3507 {ihnp4,mgnetp}!dicomed!mecc!sewilco