Path: utzoo!attcan!uunet!convex!killer!osu-cis!tut.cis.ohio-state.edu!ukma!nrl-cmf!ames!pasteur!ucbvax!pinocchio.UUCP!bzs From: bzs@pinocchio.UUCP (Barry Shein) Newsgroups: comp.protocols.tcp-ip Subject: password aging (from worm discussion) Message-ID: <8811171612.AA19137@pinocchio.UUCP> Date: 17 Nov 88 16:12:43 GMT References: <8811100214.AA06002@marduk.Sun.COM> Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 33 Although I support the other proposals I will argue that shadow password files are a bad idea (actually, I'm not too enamored with password aging, others have argued against this questionable idea.) It means that if, for any reason, you believe your password file has been let out you will have to admit that your security is compromised and, for starters, have everyone change their password (then spend your time "improving" the file's security etc.) You better also develop effective means of detecting whether anyone has read your password file or printed it out and not disposed of it properly. You're turning the file into pure gold. I still am confident that with methods like password changing programs which try to prod the user to choose a reasonable password AND education of users (perhaps backed with some internal enforcement, such as removing accounts that insist on trivial passwords, whatever your organization needs) the current publicly readable file affords MORE security than a shadow file. I sincerely hope that the community consider this matter before it becomes some sort of standard. I believe it compromises security by creating more problems than it solves, complicates security administration by requiring strict controls on who can access the file and creates new security crises when the file is believed to have been read by someone unauthorized. I fear that everyone is currently running willy-nilly trying to find *something* to do in response to this worm, let's not, in the heat of the moment, commit to something that actually makes matters worse. -Barry Shein, ||Encore||