Xref: utzoo sci.crypt:1405 comp.unix.wizards:13598 news.sysadmin:1972
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: Yet Another useful paper
Message-ID: <1988Dec21.194132.17986@utzoo.uucp>
Organization: U of Toronto Zoology
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <2743@epimass.EPI.COM> <110@microsoft.UUCP> <12750@bellcore.bellcore.com>
Date: Wed, 21 Dec 88 19:41:32 GMT

In article <12750@bellcore.bellcore.com> karn@ka9q.bellcore.com (Phil Karn) writes:
>I too have my doubts about the effectiveness of shadow password files.  My
>fear is that it will make administrators complacent; they'll reason that
>since no one can get at the file, then there's no need to ensure on a
>regular basis that people pick hard-to-guess passwords.

Turn it around:  would you suggest deleting shadow password files, from
systems which already have them, just to keep the sysadmins alert?  Seems
a bit drastic to me.  I would think that any sensible sysadmin realizes
that password guessing via login is always a threat.  And insensible :-)
sysadmins are beyond help anyway, short of massive upheaval in the software
to make it naive-sysadmin-friendly.
-- 
"God willing, we will return." |     Henry Spencer at U of Toronto Zoology
-Eugene Cernan, the Moon, 1972 | uunet!attcan!utzoo!henry henry@zoo.toronto.edu