Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!MCL.UNISYS.COM!perry From: perry@MCL.UNISYS.COM (Dennis Perry) Newsgroups: comp.protocols.tcp-ip Subject: passwords Message-ID: <8811090956.AA07706@LANAI.MCL.UNISYS.COM> Date: 9 Nov 88 09:56:33 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 35 There has been some discussion regarding passwords and how people use 'silly' ones such as their name, etc. Left to thier own initiative, people will not come up with passwords which maximize their effectiveness. At Los Alamos, and here at Unisys, a program is available to generate pronouncable passwords, but composed at random. These password programs can be made to run inplace of the option of inputting your own. Each time you type the 'passwd' command, the system gives you a new one. If you don't like it, you can get another until you find one you lik These passwords are 8 characters long and difficult to guess, if not impossible, by a human, although I am sure that a machine could try. Along with passwords should be some monitoring of attempts to login. If the frequency is high then some attempt should be made to shut the login feature off for some period of time. At Los Alamos, with password checking, any attempt to login in that results in more than 3 failures results in that login name being 'blacklisted' and no further attempts are allowed. I stongly encourage everyone to use such a password generator and not allow people to generate their own passwords. Password aging is also something that could and probably should be done. If it is manual, once a year is probably enough. This allows people to memorize their passwords for a reasonable period of time. They can always request a new password if they believe that their password has been compromized. Better would be to age the password based on usage, rather than time. Even better would be smart cards which changed passwords each time one logged on, a one time password. Further, encryption of data based on a smart card and exchange of keys for periods of data short compared to decryption attack capability would be even better. There are lots of things that computers could do for us to make the systems we use more secure and add very little incovenience to our life style on the Internet or in the Academic environment. We just have to implement them. dennis