Xref: utzoo sci.crypt:1411 comp.unix.wizards:13628 news.sysadmin:1979 Path: utzoo!attcan!uunet!actnyc!prh From: prh@actnyc.UUCP (Paul R. Haas) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: Re: password security Message-ID: <1115@actnyc.UUCP> Date: 21 Dec 88 21:41:32 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <259@gloom.UUCP> <4444@xenna.Encore.COM> Reply-To: prh@actnyc.UUCP (Paul R. Haas) Organization: InterACT Corporation Lines: 28 In article <4444@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: >The average secretary I know is bright enough to understand rules like >"use two short words with some upper-case letters and/or digits thrown >in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very >hard to guess, very easy to remember, next... Give a thousand secretaries that same set of instructions and you will get far less than a thousand different passwords. Sort them in order of frequency and try them all on whatever system you are trying to crack. You certainly won't be able to break all the accounts, but you will get a few. Many people may prefer to listen in on a large ethernet rather than deal with a thousand secretaries, but the result should be the similar. If people are allowed to create their own passwords, there should not be a way to try ten thousand different passwords on each account with out triggering some alarm. If security is really important it may be usefull to put the shadow password file on a separate server machine. The server machine should be physically and electronically remote so that the only requests it services are "check password/username", "add password/username", "remove password/username" and "changepassword newpassword/oldpassword/username". This implies that backups and restores have to be done manually. A logical migration path to a secure password server is to use a shadow password file which is normally only accessable through a small well defined interface. ----- Paul Haas uunet!actnyc!prh haas@frith.egr.msu.edu (212) 696-3653