Checksum: 50774 Lines: 53 Path: utzoo!sq!msb From: msb@sq.uucp (Mark Brader) Date: Tue, 15-Nov-88 20:52:58 EST Message-ID: <1988Nov15.205258.12029@sq.uucp> Newsgroups: news.sysadmin Subject: Re: Password support References: <931@sword.bellcore.com> Reply-To: msb@sq.com (Mark Brader) Organization: SoftQuad Inc., Toronto Eleazor bar Shimon (yba@sabre.bellcore.com) repeats an often-made suggestion: > - modify /bin/passwd (on your central server if you distribute the > passwd file) to require that all passwords are at least 7 characters > in length, have at least one upper-case and one lower-case letter, > and one non-alphabetic character. And I will repeat my standard response to it: Passwords meeting the above specifications, while more secure against electronic forms of cracking, are LESS secure against casual observation of the typing fingers! This is particularly an issue if they are to be used by occasional typists and in an environment where physical security is minimal -- a common enough situation. Nobody would do that? I did! I once learned a root password by that method. (It was only 5 characters.) If you're going to modify the system's password code, I think the first thing you should do is remove the standard UNIX limit of 8 significant characters on a password. (If you didn't think there was such a limit, try it! I believe that only the first 8 characters are significant on *all* common UNIX systems. The reason is the DES key length, though the password encryption is not pure DES.) Here is an easy way to raise this limit to 16 characters: #define MAXPWD 8 register char *pwd; /* pointer to password as typed */ .... char pw1[MAXPWD+1], pw2[MAXPWD+1]; /* result */ register char *p = pw1, *q = pw2; while (p < &pw1[MAXPWD+1]) { *p++ = *pwd; if (*pwd) pwd++; *q++ = *pwd; if (*pwd) pwd++; } *p = *q = '\0'; This splits the given password into 2 virtual passwords of up to 8 characters each. Encrypt them separately by the present method, each with its own salt, and concatenate the results to form the character string to place in the password file. The inverse process, for login and the like, should be obvious. Now require that all passwords be at least *12* characters, preferably 16, and not obvious from dictionary search, keyboard patterns, and so on. I think that with 16 characters all-lower-case-letters is quite sufficient if one wants to use it, and desirable if there is any chance of being watched. Mark Brader "Alas, there is NO SUCH THING as SoftQuad Inc., Toronto 'NO SUCH THING as privileged access.'" utzoo!sq!msb, msb@sq.com -- Alan Silverstein