Path: utzoo!attcan!uunet!cbmvax!vu-vlsi!swatsun!schwartz
From: schwartz@cs.swarthmore.edu (Scott Schwartz)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <2271@pompeii.cs.swarthmore.edu>
Date: 28 Dec 88 19:35:32 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM>
Reply-To: schwartz@pompeii.UUCP (Scott Schwartz)
Organization: SUN Lab, Swarthmore College, PA
Lines: 21

>Hiding something indicates that it is dangerous if revealed. It says,
>basically, that encryption technology is inadequate and cannot be made
>to work, the only reasonable protection is secrecy. Do we honestly
>believe this? Or, worse, do we believe that security is attained by
>layering anything we can think of onto the system?

At least in terms of the current UNIX password scheme, I have the
uncomfortable feeling that it is NOT adequate.  I'll bet that
99% of the people reading this have either used or seen a program
that finds a substantial number of passwords on a given system by
encrypting the dictionary against /etc/passwd.  

Put it this way:  every other part of unix has evolved, why not allow
the password protection scheme to evolve too?

As it happens, I think that Barry has a good point here.  I think
one answer is to admit that 8 character passwords (and user id's,
for that matter!) are too small.  Someone who knows a lot about
encryption (not me!) should suggest a better number.
-- 
Scott Schwartz <schwartz@cs.swarthmore.edu>  <psuvax1!vu-vlsi!swatsun!schwartz>