Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!bloom-beacon!mit-eddie!bbn!bbn.com!mesard From: mesard@bbn.com (Wayne Mesard) Newsgroups: comp.unix.wizards Subject: Re: Password security Message-ID: <32582@bbn.COM> Date: 21 Nov 88 22:17:49 GMT References: <4449@sneaky.TANDY.COM> Sender: news@bbn.COM Distribution: na Lines: 43 From article <4449@sneaky.TANDY.COM>, by gordon@sneaky.TANDY.COM (Gordon Burditt): > Assuming for the moment that DES is kept, security would be increased if more > of the 2**56 bit combinations were generated by "obvious" passwords that users > can easily remember. So, I propose the following change to the password > algorithm. [...] > - Change the length of the password to 28 characters minimum, 512 characters > maximum. Whether or not your proposal makes technical sense, you have forgotten an important element of this equation: human nature. Yes, the very same thing that you're trying to circumvent by coercing people into using an absurdly combersome mechanism. What would happen if this procedure were enacted? I'll tell you: o More people would stay logged in overnight and when they go to lunch, becuase it's become such a pain to login again. o More people would write their passwords on slips of paper taped to their desk because it's become such a pain to remember. o More people would choose easy passwords (e.g. 28 "a"s, or the alphabet plus their initials) to try to make memorization easier. o More people would use the same password for the various machines on which they have accounts. The people who are security conscious, will select non-obvious passwords, just like they always have, but if you want to have an impact on the rest of us, coersion is not the way. Your efforts will be best spent in making sure that those who most need to be "security literate," are. This includes sys-admins (I could list some root passwords that would make an NSC staffer pull his hair out), and those working on proprietary information (corporate or national). > > Gordon L. Burditt > ...!texbell!sneaky!gordon -- unsigned *Wayne_Mesard(); "He sounds like a really weird guy. What's MESARD@BBN.COM he doing for Thanksgiving?" BBN, Cambridge, MA -DB.