Newsgroups: comp.protocols.tcp-ip
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: virulence of the recent virus
Message-ID: <1988Nov8.224853.16081@utzoo.uucp>
Organization: U of Toronto Zoology
References: <6704@venera.isi.edu>
Date: Tue, 8 Nov 88 22:48:53 GMT

In article <6704@venera.isi.edu> cracraft@venera.isi.edu (Stuart Cracraft) writes:
>As a system maintainer, the two best things you can do to increase
>your ability to sleep at night are:
>
>	* enable password aging
>
>	* enable complex passwords

Both are mistakes.  See "UNIX Operating System Security", by F.T. Grampp
and R.H. Morris (the elder!) in the Bell Labs Technical Journal, Oct 1984.

>... If you enable aging, for example, once every
>month or two, every user who logs into your system will be required
>to specify a new password.

On the spur of the moment, which means that he often will make up a poor
password, or simply alternate between two passwords.  "The goal is
laudable.  The algorithm, however, is bad, and the implementation, from
a security standpoint, is just awful..."  (Grampp&Morris)

We thought about this for some time, and concluded that it is better to
gently remind users that their password is getting a trifle old, rather
than forcing them to change it.

>...This particular one requires
>that the user specify a password with complex characters in it, 
>either non-alphabetic, or numeric mixed with alphabetic and of
>at least a certain length (10 characters seems like a good size).

Things like this may be useful in moderation; for example, preventing
overly-short passwords is certainly a good thing.  However, it's very
hard to construct a simple algorithm that reliably ensures good passwords.
You may be discouraging users from choosing inventive passwords by putting
arbitrary barriers in their paths.  Grampp&Morris describe a successful
attack on systems using the above algorithm:  passwords consisting of the
20 most common female first names, followed by a single digit, let them 
onto every single one of the several dozen machines they surveyed.

(Incidentally, Unix truncates passwords to 8 characters, so requiring
10 is pointless.)
-- 
The Earth is our mother.        |    Henry Spencer at U of Toronto Zoology
Our nine months are up.         |uunet!attcan!utzoo!henry henry@zoo.toronto.edu