Path: utzoo!utgpu!water!watmath!clyde!cbosgd!ihnp4!twitch!anuck!jrl
From: jrl@anuck.UUCP (j.r.lupien)
Newsgroups: comp.unix.wizards
Subject: Re: 60-second timeout in Unix login
Summary: Security hole!
Message-ID: <470@anuck.UUCP>
Date: 16 Feb 88 22:25:48 GMT
References: <10578@brl-adm.ARPA> <721X@jimi.cs.unlv.edu> <465@xios.XIOS.UUCP> <18083@topaz.rutgers.edu>
Organization: AT&T Bell Labs, Andover Ma.
Lines: 14

In article <18083@topaz.rutgers.edu>, ron@topaz.rutgers.edu (Ron Natalie) writes:
> Actually at BRL, it remembers all past passwords that everyone used and
> won't ever let you reuse them (or use the "passwd" program to set too
> accounts to the same password).

Oh really? This means that if you get a reject, and you know it isn't
one of your previous passwords, it >MUST< be someone else's! Then
you just try each login on the system until you hit the one who's
password you have just "guessed". This seems rather bogus. 
The passwd program should not give out ANY information 
about other users' passwords, even to the extent of
"you have just used a word nobody else is using".

Security is YOUR job, too!