Path: utzoo!attcan!uunet!husc6!rutgers!ucsd!orion.cf.uci.edu!paris.ics.uci.edu!venera.isi.edu!cracraft From: cracraft@venera.isi.edu (Stuart Cracraft) Newsgroups: comp.protocols.tcp-ip Subject: virulence of the recent virus Message-ID: <6704@venera.isi.edu> Date: 5 Nov 88 17:07:50 GMT Organization: USC-Information Sciences Institute Lines: 42 Some brief tests have shown that the recent virus attack could breach approximately 4.6% of passwords on a typical large-sized Unix mainframe, revealing 10-20 passwords. All of this once again exposes the weakest link of any password-based security system: the passwords. As a system maintainer, the two best things you can do to increase your ability to sleep at night are: * enable password aging * enable complex passwords The first of these tells Unix to occasionally require that the user input a new password and confirm it, giving the old password to assure he is authorized. If you enable aging, for example, once every month or two, every user who logs into your system will be required to specify a new password. The second of these is the more useful, but both are needed in conjunction to close a lot of holes in Unix. This particular one requires that the user specify a password with complex characters in it, either non-alphabetic, or numeric mixed with alphabetic and of at least a certain length (10 characters seems like a good size). Prior to this, the system maintainer can conduct an audit of the system, looking for null password fields in /etc/passwd or using Jim GIllogly's script (see earlier messages on this list) to discover English language words already compromised by the current attack (its candidate word list -- which will most surely be in the hands of every small-fry youngster who sees the current media-glory as a chance to gain new heights in his teenage years by becoming a cracker). Hence, this list must always be checked against. Doing these three things (audit, aging, and complex) will greatly increase the security of a system. Not all Unix's have the latter two, but this is possible to implement. Stuart