Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site rti-sel.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!bellcore!decvax!mcnc!rti-sel!trt
From: trt@rti-sel.UUCP
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <652@rti-sel.UUCP>
Date: Sun, 9-Feb-86 16:02:45 EST
Article-I.D.: rti-sel.652
Posted: Sun Feb  9 16:02:45 1986
Date-Received: Tue, 11-Feb-86 07:31:51 EST
References: <100900001@haddock.UUCP>
Organization: Research Triangle Institute, NC
Lines: 17

> ... .  A simple refinement which I've never heard mentioned would
> be to have the login program simply disable the ability to log in
> successfully after a number of attempts, without notifying the user.

It sounds good but I think it would confuse and frustrate legimate users
who are poor typists or have flakey keyboards/communications.

I suggest that people who wish to harden their system's security
first enhance login to drop connections after 3 failed attempts
and add an 'external security' password on modem lines.
If that is considered inadequate one can then (be careful!)
harden the password-setting program (e.g. BRL's 'passwd')
and enhance login to note failed attempts.
It would be real nice if 4.3 BSD had that.
After these basic things are out of the way
more elaborate steps can be considered.
	Tom Truscott