Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!lll-tis!ames!hao!gatech!mcnc!uvaarpa!umd5!vrdxhq!dgis!csed-1!roskos
From: roskos@csed-1.UUCP (Eric Roskos)
Newsgroups: sci.crypt
Subject: Re: Unix Password Hacker
Message-ID: <281@csed-47.csed-1.UUCP>
Date: 24 Feb 88 15:47:28 GMT
References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <24582@cca.CCA.COM> <7317@brl-smoke.ARPA>
Distribution: na
Organization: IDA, Alexandria, VA
Lines: 18

In article <7317@brl-smoke.ARPA>, gwyn@brl-smoke.ARPA (Doug Gwyn ) writes:
> In article <205@tijc02.UUCP> pjs269@tijc02.UUCP (Paul Schmidt        ) writes:
> >> Much better is simply keeping the encrypted passwords in a file that is
> >> not publicly readable.  ...
> [Examples showing recent trends towards eliminating the password field.]
> It seems some operating system specifiers agree with my suggestion now
> and will continue to do so.

It is also required by even the lowest level of the DOD Trusted Computer
Systems Evaluation Criteria (C1).  From section 2.1.2.1., "Identification
and Authentication":  "The TCB [Trusted Computing Base] shall protect
authentication data so that it cannot be accessed by any unauthorized user."

Disclaimer: The above is quoted from DOD 5200.28-STD, and is not meant
to imply any interpretation of the standard.

Unix is a trademark of AT&T.
-- 
Eric Roskos, IDA (...dgis!csed-1!roskos or csed-1!roskos@HC.DSPO.GOV)