Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!ukma!husc6!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <4545@xenna.Encore.COM>
Date: 31 Dec 88 17:35:33 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu> <4523@xenna.Encore.COM> <232@ibd.BRL.MIL>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 19
In-reply-to: heilpern@ibd.BRL.MIL's message of 30 Dec 88 14:08:41 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


Re: using a .case file which shows the lower/upper case pattern for
a password....

But this means that login will now accept the dictionary word in lower
case? Seems to reopen that attack (ie. going thru the dictionary) as
login is correcting case for me as I go.

Worse, it relies on the unreadability of these .case files in every
user's directory, I don't think that's a good thing to rely on, if
users are sloppy about password choosing and too lazy to remember the
case shifts why do you believe they'll be careful about protecting
this .case file? Besides, holes to read unreadable files are a little
too easy to come by (also, I assume that the length of the file tells
me how many chars in your passwd?)

I don't think this idea goes very far.

	-Barry Shein, ||Encore||