Path: utzoo!utgpu!attcan!uunet!husc6!rutgers!cs.utexas.edu!oakhill!steve
From: steve@oakhill.UUCP (steve)
Newsgroups: comp.unix.questions
Subject: Re: Password Choices
Summary: Random is a no-no
Message-ID: <1406@devsys.oakhill.UUCP>
Date: 27 Jul 88 15:51:54 GMT
References: <16562@brl-adm.ARPA> <511@ns.UUCP> <1146@ficc.UUCP>
Organization: Motorola Inc. Austin, Tx
Lines: 31


There are two stories about passwords which are probably just urban
myths but are somewhat appropriate here.  The first is about random
passwords :

At a location where random passwords were used, a programmer (I heard
Kernigham when I was told) took his password, and on finding the
random algorithm generated a set of the next n passwords which he
could apply to every user on the system til he got in.  This was
done (as the story goes) as a demonstration of the falibity of 
random password generation.

The second story also has to do with security, and I also heard abscribed
to Kernighan (interesting his name pops up twice in related stories).

It seems that in the original unix systems one of the programmmers
left a backdoor in login that allowed him on any user system.  This
was left in the binary and not the source so that regenerating
login would cure it, but since most original systems just copied the
binary, this trap was left in.

I don't believe either of these stories are true.  In fact, careful
anaysis shows that both are improbable; BUT it does show that we
a too careless with security.  I have done some consulting work on
computter security; and I have yet to truely find a completely secure
system.  But the holes that one finds in the everyday system are
inexcusable.  We cannot hope looking the other way will solve these
problems, and we should never think we have completely solved these
problems.

			 Your mooncalf - Steve