Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!mit-eddie!bacchus!husc6!necntc!ames!ucbcad!ucbvax!jimi.cs.unlv.edu!robert
From: robert@jimi.cs.unlv.edu.UUCP
Newsgroups: mod.computers.vax
Subject: re: password verification...
Message-ID: <8702061407.AA01404@ucbvax.Berkeley.EDU>
Date: Fri, 6-Feb-87 09:08:34 EST
Article-I.D.: ucbvax.8702061407.AA01404
Posted: Fri Feb  6 09:08:34 1987
Date-Received: Sat, 7-Feb-87 18:45:38 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 30
Approved: info-vax@sri-kl.arpa


>Please be careful about publishing code that encrypts passwords
>using the same formula DEC uses...  These code fragments can fall into
>the hands of hackers who can then build "password-guessers" that will
>get around VMS security since there is now no way to catch "logfails".

Guessing passwords is only a useful approach if users choose passwords
which are easy to guess.  If you are concerned about security, you
should choose passwords which are not likely to be contained in a
dictionary.  Keeping password algorithms under lock & key, and then
choosing "dog" as a password is quite inconsistent.  If you choose a
password with letters & numbers, which is not a word, dictionary searches
will always fail.

Being able to verify a password is useful for those applications which
need to be sure that the user at the terminal is the actual user, not
someone who walked up to a terminal while someone was out to lunch.

In any case, many sites have microfiche, including sites who employ
hackers.  For this reason, encryption algorithms should not rely on 
whether or not the algorithm is known to a perpetrator.  If you do not
trust your users to choose reasonable passwords, set the automatic
password generation flag for them in sysuaf.

					--robert

--
CSNET:   robert%jimi.cs.unlv.edu@relay.cs.net
UUCP:    {sdcrdcf,ihnp4}!otto!jimi!robert
         seismo!unrvax!tahoe!jimi!robert