Path: utzoo!utgpu!water!watmath!clyde!bellcore!decvax!yale!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: sci.crypt
Subject: Re: Unix Password Hacker
Message-ID: <7271@brl-smoke.ARPA>
Date: 17 Feb 88 18:53:01 GMT
References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <24582@cca.CCA.COM>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Distribution: na
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 20

In article <24582@cca.CCA.COM> bobcoe@CCA.CCA.COM.UUCP (Robert K. Coe) writes:
>I think the other side is that the antisocial types won't have a lot of trouble
>getting their hands on the code in any case, and it only takes a few of them
>to wreak havoc.  The advantage of distributing the code is that it may shock
>some users and system managers into defensive action; this cracking method
>depends, after all, on the presence of stupidly chosen passwords.  At our
>(UNIX) site we have taken the obvious precaution of tuning the password
>mechanism to forbid passwords that can be found in the commonly available
>on-line dictionaries.  All sites should, at a minimum, do likewise.  Forthwith.

Much better is simply keeping the encrypted passwords in a file that is
not publicly readable.  The only essential checks are that the handful of
most obvious passwords (same as account name, forward or reversed, single
characters, etc.) are not used.  There is not much problem with normal
English words (in fact, there is some advantage in allowing them), so long
as the only way for a guessing program to probe is to actually attempt to
log in.

By the way, genuine security must never rely on assumed ignorance or
ineptness of the "opposition".