Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!think!bloom-beacon!gatech!ufcsv!codas!mtune!whuts!homxb!ihnp4!cbosgd!mandrill!hal!ncoast!simpsong From: simpsong@ncoast.UUCP (Gregory R. Simpson @ The North Coast) Newsgroups: comp.os.vms Subject: Re: security holes Message-ID: <6971@ncoast.UUCP> Date: 8 Jan 88 05:40:57 GMT References: <48rrk@byuvax.bitnet> Reply-To: simpsong@ncoast.UUCP (Gregory R. Simpson @ The North Coast) Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 30 In article <48rrk@byuvax.bitnet> rrk@byuvax.bitnet writes: >Any simple subsitution of "^A" for "A" in a password is easily guessed. >You can use non-alphabetic characters such as "$" or "_", and probably >others, but this is "light years" behind generated passwords. I use generated >passwords (ten digit) all the time. I've never had trouble periodically >memorizing a new password generated by VMS. And it sure helps prevent many >security problems with user-generated passwords. > ... I could break-in and you couldn't deleted ... There is one big problem with generated passwords. If the casual user is forced to use a 10-digit nonsense password, often they will just Write it down. Presto, you don't even have to watch them type at the keyboard... all you have to do is open their desk drawer and read it off of their memo pad... -grs -- --- Gregory R. Simpson Prefered Internet: SIMPSONG%ATD1.decnet@ge-crd.arpa or Alternate Internet: necntc!ncoast!simpsong@harvard.HARVARD.EDU UUCP: !cbosgd!ncoast!simpsong UUCP: {ames,mit-eddie,harvard,talcott}!necntc!ncoast!simpsong UUCP: {well,sun,pyramid,ihnp4}!hoptoad!ncoast!simpsong CSNET: ncoast!simpsong@CWRU.EDU (CSnet)