Path: utzoo!utgpu!attcan!uunet!husc6!mailrus!purdue!decwrl!ucbvax!GYRE.UMD.EDU!chris From: chris@GYRE.UMD.EDU (Chris Torek) Newsgroups: comp.protocols.tcp-ip Subject: password aging (from worm discussion) Message-ID: <8811070715.AA05179@gyre.umd.edu> Date: 7 Nov 88 07:15:13 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 35 Be *very* careful how you implement password aging. If it is done improperly, it weakens security instead of strengthening it. For instance, if the system demands that you replace your password once every two weeks, and demands that you replace it immediately upon logging in, users are likely to use `easy' passwords and/or write them down, since they must remember them only for a short while and since they have little time to think of a new one. At any rate, we intend to implement shadow password files here (at U of MD CSD) if Berkeley does not get to it first. The way the worm breaks Unix passwords is by efficiently implementing the Unix `salted' DES encryption (possibly the worm's author simply used Bob Baldwin's code), and doing forward encryption on each of the passwords from its dictionary lists for each account. If the encrypted passwords are not readable except from privileged accounts, this method is not available; the program must instead go through standard accessways such as the `login' program, which were long ago instrumented to be able to log apparent breakin attempts. (Of course, all of this assumes that one is unable to exploit some existing bug that gives privileged access. It also assumes that your Unix vendor has at least kept up with Berkeley's security improvements since 4.2BSD.) We already enforce `hard to guess' passwords---dictionary checking is in 4.3BSD-tahoe, and we had been using similar checking earlier---and, by some stroke of luck, we had modified the finger daemon, and had a piggish sendmail: the worm gave it a mere 20 seconds to establish connections, and we no doubt timed out. At any rate, the worm never got established on any UMD CSD machine (though other departments were affected); but the potential was there, and that is rather frightening. The possibility of an efficient brute-force attack on other user's accounts, given an unprivileged account (as the finger bug did), is much more so. Shadow password files suddenly look quite attractive. . . . Chris