Path: utzoo!mnetor!uunet!husc6!cmcl2!nrl-cmf!ames!umd5!uvaarpa!mcnc!rti!tijc02!pjs269
From: pjs269@tijc02.UUCP (Paul Schmidt        )
Newsgroups: sci.crypt
Subject: Re: Re: Unix Password Hacker
Message-ID: <205@tijc02.UUCP>
Date: 22 Feb 88 13:32:46 GMT
References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <24582@cca.CCA.COM> <7271@brl-smoke.ARPA>
Distribution: na
Organization: Texas Instr., Johnson City TN
Lines: 18

> 
> Much better is simply keeping the encrypted passwords in a file that is
> not publicly readable.  The only essential checks are that the handful of
> most obvious passwords (same as account name, forward or reversed, single
> characters, etc.) are not used.  There is not much problem with normal
> English words (in fact, there is some advantage in allowing them), so long
> as the only way for a guessing program to probe is to actually attempt to
> log in.
> 

Unfortunately you cannot do this in UNIX System V (as soon as you do, it
is no longer System V).  I don't know about other UNIX systems.
"The IEEE Trial-Use Standard for Portable Operating System for Computer
Environments" will also need read privelege on the password file.  It seems
some operating systems have ignored your suggestion in the past and will
continue to do so.

	Paul Schmidt