Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cs.utexas.edu!husc6!m2c!applix!jim From: jim@applix.UUCP (Jim Morton) Newsgroups: news.sysadmin Subject: Re: Password support Summary: "fixed in V.3.2" Message-ID: <853@applix.UUCP> Date: 15 Nov 88 15:08:26 GMT References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <931@sword.bellcore.com> Organization: APPLiX Inc., Westboro MA Lines: 30 In article <931@sword.bellcore.com> yba@arrow.bellcore.com (Mark Levine) writes: > - modify /bin/passwd (on your central server if you distribute the > passwd file) to require that all passwords are at least 7 characters > in length, have at least one upper-case and one lower-case letter, > and one non-alphabetic character. This immediately removes short > passwords, dictionary entries and passwords which match the user > name (in _most_ cases!). The patches are straightforward, but I > don't have the author's leave to post them (yet, and since the author > has not, I question whether I will obtain same). > In Unix V.3.2, as some people have pointed out, the encrypted passwords are now in /etc/shadow. Also, AT&T added some serious passwd restrictions - not like in BSD where it asks you a few times to enter a longer password and then gives in to you using a short one. The V.3.2 passwd mechanism: -REQUIRES user accounts to have a password. You can't put one on, then edit /etc/shadow, and from then on log in without one -will not let you re-use the user name as the passwd -will not let you use short (I forget the length) passwords -REQUIRES that they be alpha and numeric This was such a change for me that I found myself both using a common alphanumeric string that I wouldn't forget (license plate, "lotus123", etc.) and/or writing the password on the system console. The end result, from a cracker's point of view, I believe is worse than having any type of password be acceptable. Password cracking programs now have a set of guidelines to go by! -- Jim Morton, APPLiX Inc., Westboro, MA UUCP: ...harvard!m2c!applix!jim jim@applix.m2c.org