Path: utzoo!attcan!uunet!husc6!rutgers!bellcore!faline!sword!arrow!yba
From: yba@arrow.bellcore.com (Mark Levine)
Newsgroups: news.sysadmin
Subject: Re: Password support
Message-ID: <941@sword.bellcore.com>
Date: 16 Nov 88 23:06:51 GMT
References: <931@sword.bellcore.com> <1988Nov15.205258.12029@sq.uucp>
Sender: news@sword.bellcore.com
Reply-To: yba@arrow.UUCP (Mark Levine)
Organization: Bellcore, Red Bank, NJ
Lines: 25

In article <1988Nov15.205258.12029@sq.uucp> msb@sq.com (Mark Brader) writes:
>> 	- modify /bin/passwd ... to require that all passwords are at least 7 characters
>> 	  in length, have at least one upper-case and one lower-case letter,
>> 	  and one non-alphabetic character.
>
>Passwords meeting the above specifications, while more secure against
>electronic forms of cracking, are LESS secure against casual observation
>of the typing fingers!

The context of my suggestion was prevention of electronic cracking by the
worm and by network crackers.  Not to be petty, but I don't see how your
conclusion follows at all.  Are you claiming that use of the top row and
the shift key makes it easier to follow a typist?

Changing one program, /bin/passwd, seems far easier than systematcally
replacing all routines and doing double encryption (ah, for dynamic linking!).
Part of any solution for admins should probably be the notion that the solution
is cheap, ie: does not cause more trouble than the cracker does by at least a
factor of two.  I'd suggest that if you are concerned with physical security,
hiding the hands of users is the wrong place to start, and making them type in
16 character passwords is going to be even harder to sell than remembering ones
that are not common words (leading to the dreaded "write-it-down" problem).

Eleazor bar Shimon, once and future Carolingian
yba@sabre.bellcore.com