Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <4523@xenna.Encore.COM>
Date: 30 Dec 88 00:32:42 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 45
In-reply-to: schwartz@cs.swarthmore.edu's message of 28 Dec 88 19:35:32 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


Ok, this is getting ridiculous...

Can we assume that before we make exotic changes like shadow passwords
we can make simple changes (some Unix's already have these) to the
passwd changing programs like:

	1. Some mixture of upper case, lower case, digits and/or
	punctuations.

	2. No dictionary words (even mixed case.)

	3. Can't use login name, system name and a bunch of other
	easily checked words or patterns (3 digits, dash, 4 digits.)

	4. Must be eight chars (or 7 if you're not that paranoid.)

	5. Finally, will educate users about how to choose a good
	password (maybe we can group-write a document about just
	that, that would be a useful outcome of this conversation.)

This is trivial and can be enforced relatively easily without changing
all sorts of system software, only one program needs to be modified.

Something has to be tacit, every time someone says that eight chars
from a 64 or 100 char set should be sufficient someone else jumps up
and says "not if they're all lower-case!", assume when we say "from
100 chars" we mean we'll make it hard to search less, not "from 100
chars or any number less down to one".

And let's let the conversation about more exotic methods (password
aging, shadow password files, anything beyond influencing a reasonable
choice of a good password in the first place which some of us claim is
sufficient) proceed from there instead of going round and round in
circles.

*Think*, people, how in the world can password aging protect against
choosing a word from the dictionary (as one poster just claimed.) I
can crack that looooong before your password ages (unless it ages
every few minutes.)

It's a worthwhile topic, let's not let it degenerate due to
thoughtlessness.

	-Barry Shein, ||Encore||