Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!umd5!brl-adm!adm!rbj@nav.icst.nbs.gov
From: rbj@nav.icst.nbs.gov (Root Boy Jim)
Newsgroups: comp.unix.questions
Subject: Password choices
Message-ID: <16554@brl-adm.ARPA>
Date: 19 Jul 88 17:53:13 GMT
Sender: news@brl-adm.ARPA
Lines: 48

? From: thad@cup.portal.com

? The following is something pertinent to your question regarding selection
? of passwords.  Because it IS of general interest, I'm posting it; don't
? know if there ever was a followup, but the suggestions contained herein
? are good advice nonetheless.

NBS also produced a password recommendation report, but I don't know
what the number is or how to get it. Perhaps the following message was
partially derived from it's input. I have a few comments on various parts:

?     DDN-MGT-BULLETIN 18                            NETWORK INFO CENTER for
?     13 Jan 1984                                DCA DDN Program Mgmt Office
?                                                (415) 859-3695  NIC@SRI-NIC
	[quoted in part]

?           - All  unsuccessful log-in attempts  (Server TELNET, Server FTP,
?             regular  log-in,  etc.)  should be  logged  and   periodically
?             reviewed.  If  the  machine  is attended by  an operator,  the
?             operator should be notified. A notice of unsuccessful attempts
?             should be published  to the account user  at the  time of  the
?             next successful log-in.

Note: DO NOT log the attempted password! At least not to a file which is
readable by casual users! Remember, superusers have fumble fingers too,
and your log is likely to be filled with legitimate trivial permutations
of the real passwords as well as random attempts to break in. For example,
if your root password is `superman', what would do you think a regular
user would try if he saw `supeman' and `supermam' in the log?

?           - Auto-disconnect should occur after no more than three unsuccess-
?             ful log-in  attempts.    This  is  regardless of the  means  of
?             accessing the machine.

A more fiendish approach is to set a flag after three attempts, and allow
additional logins/passwords to be entered, but reject them even if valid.
One must type a ^D to restart login, but the cracker doesn't know this.

Other approaches have been to disable an account after repeated failures
to log in. I am glad to see this recommendation missing. Suppose I don't
like Fred. I make him unpopular with the sysadmins by intentionally
attempting to log on as him and giving the wrong password.

	(Root Boy) Jim Cottrell	<rbj@icst-cmr.arpa>
	National Bureau of Standards
	Flamer's Hotline: (301) 975-5688
	The opinions expressed are solely my own
	and do not reflect NBS policy or agreement
	Careful with that VAX Eugene!