Newsgroups: comp.protocols.tcp-ip
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: passwords
Message-ID: <1988Nov15.174625.20077@utzoo.uucp>
Organization: U of Toronto Zoology
References: <8811090956.AA07706@LANAI.MCL.UNISYS.COM>
Date: Tue, 15 Nov 88 17:46:25 GMT

In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> perry@MCL.UNISYS.COM (Dennis Perry) writes:
>... At Los Alamos, with password checking, any attempt to login
>in that results in more than 3 failures results in that login name being
>'blacklisted' and no further attempts are allowed.

This feature, of course, opens up a nice "denial of service" attack:  if
you have access to the machine, and know somebody's login name, just try
to login as them three times with nonsense passwords.  Presto, they can't
login until they go see the security people.  Particularly useful if you
have just broken into the system and want to keep the sysadmins off until
you finish doing your dirty work.

>I stongly encourage everyone to use such a password generator and not
>allow people to generate their own passwords.  

Unfortunately, this opens up two other problems.  First, a much higher
probability that passwords will be written down rather than memorized.
Second, some vulnerabilities if the password generator is poorly built,
e.g. if it uses a 16-bit random-number generator!

>Password aging is also something that could and probably should be done.

But done well, not done poorly as it was in Unix System V.
-- 
Sendmail is a bug,             |     Henry Spencer at U of Toronto Zoology
not a feature.                 | uunet!attcan!utzoo!henry henry@zoo.toronto.edu