Path: utzoo!utgpu!attcan!uunet!auspex!guy From: guy@auspex.UUCP (Guy Harris) Newsgroups: comp.protocols.tcp-ip Subject: Re: virulence of the recent virus Message-ID: <409@auspex.UUCP> Date: 7 Nov 88 18:11:52 GMT References: <6704@venera.isi.edu> Reply-To: guy@auspex.UUCP (Guy Harris) Organization: Auspex Systems, Santa Clara Lines: 51 >As a system maintainer, the two best things you can do to increase >your ability to sleep at night are: > > * enable password aging In an article in the October 1984 AT&T Bell Laboratories Technical Journal - "UNIX Operating System Security", F. T. Grampp and R. H. Morris - some doubt is expressed as to whether password aging really should help system administrators sleep better at night: (Description of how password aging works) Four things are wrong here. First, picking good passwords, while not very difficult, does require a little thought, and the surprise that comes just at login time is likely to preclude this. There is no hard evidence to support this conjecture, but it is a fact that the most incredibly silly passwords tend to be found on systems equipped with password aging. Second, the user who discovers that the new password is unsound or compromised cannot change it within the week without help from the system administrator. (This is a characteristic of implementations such as the System V one, which, once you've been forced to change your password, don't let you change it back for a week; of course, if you *can* change it back immediately, aging is pretty much advisory - gh) Third, the feature only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords. (At an AT&T site, one person told me that it was common to add "0" to the end of their password, and toggle it between "0" and "1" whenever you were forced to change your password - gh) Fourth, as implemented, the date and the lifetime of a password is encoded, not encrypted, just after the encrypted password in the password file. It is easy to write a program that scans a password file and prints out a list of abandoned accounts, together with the length of time each account has been unused. Whether this is a horror or a blessing depends on your point of view. >The second of these is the more useful, but both are needed in >conjunction to close a lot of holes in Unix. This particular one requires >that the user specify a password with complex characters in it, >either non-alphabetic, or numeric mixed with alphabetic and of >at least a certain length (10 characters seems like a good size). Except that UNIX systems tend to pay attention only to the first 8 characters of the password.