Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!nrl-cmf!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: sci.crypt
Subject: Re: Unix Password Security
Message-ID: <7411@brl-smoke.ARPA>
Date: 3 Mar 88 22:08:02 GMT
References: <7271@brl-smoke.ARPA> <5289@well.UUCP> <1149@moscom.UUCP>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Distribution: na
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 15

In article <1149@moscom.UUCP> jgp@moscom.UUCP (Jim Prescott) writes:
>Rather than have the password field be a random password or a '*' why
>not have it be a real password that the user can change.  Programs that
>ask for your password to prove identity would still work but would use
>the "low security" password.  Only login and su would deal with the "high
>security" password kept in the protected file.  This would also make
>programs that prompt for your password slightly less of a bad idea.

This would encourage users to put a copy of their "high security" password
(or a slight modification of it) in the "low security" file, which would
compromise the security of the password.

What you should have is a trusted password verifier that can be reliably
used to check a user's password against the "high security" file, although
with considerable delay (say, 5 seconds) imposed to make it practically
useless for password-probing programs.