Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!nrl-cmf!ukma!gatech!udel!rochester!rutgers!im4u!ut-sally!utah-cs!utah-gr!stride!tahoe!unsvax!jimi!stevie!robert
From: robert@stevie.cs.unlv.edu (Robert Cray)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Message-ID: <721X@jimi.cs.unlv.edu>
Date: 21 Jan 88 00:00:00 GMT
References: <10578@brl-adm.ARPA>
Sender: news@jimi.cs.unlv.edu
Reply-To: robert@jimi.cs.unlv.edu (Robert Cray)
Organization: University of Nevada, Las Vegas
Lines: 20

In article <10578@brl-adm.ARPA> bzs@bu-cs.bu.EDU (Barry Shein) writes:
>Even password aging, which seems to be based upon similar logic (?) I
>assume relies on the assumption that the would be cracker is "closing
>in" so changing it throws him/her off course. I thought we all rely on
>the massive combinatorics (assuming good passwd choice) involved?
>Changing the passwd doesn't change that.
>

I think password aging assumes that many users will have poorly chosen
passwords, and if a cracker gets it, it will only be for a short time
until it is changed next.   I've run ``password guessing'' programs on
a number of varying machines, typically 40% will have normal words as
passwords.  I hear that in the next (4.7?) version of vms, it will
remember the last 6 passwords so that a->b->a (which is what I always do)
will be more painful.  Another (bad) thing that vms can be set up to do
is log ``intrusion'' records.  It will log the username *and* password that
was attempted, so if you log on over a noisy line, and have 3 failed
attempts, maybe *thats* the time to change your password.

					--robert