Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <4547@xenna.Encore.COM>
Date: 31 Dec 88 18:21:46 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <4537@xenna.Encore.COM>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 43
In-reply-to: paradis@maxzilla.Encore.COM's message of 30 Dec 88 23:16:28 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


From: paradis@maxzilla.Encore.COM (Jim Paradis)
>In the case of the locked door, if we want to keep people from hacking
>on the lock and restrict the use of the lock to being opened with a proper
>key, we can post a guard at the door.  Assuming that the guard cannot be
>bribed or otherwise made an accessory to an attack, s/he will prevent
>random hackery on the lock.  Similarly, by burying the password information
>and restricting access to it, one can prevent random hackery on the
>password file.

It's more like burying it in your back yard hoping no one knows how to
dig...

That's the whole point really, positing an incorruptible guard makes
it *sound* good, but of course no guard is incorruptible (or can be
guaranteed to be 100% reliable.) Similarly with file systems.

At least encryption algorithms are mathematical objects and, although
one cannot prove 100% reliable they can measure confidence under a
given set of conditions, and can modify those conditions if need be
(eg. demand longer keys or larger character sets.)

Just as a "guard" is subject to all sorts of unpredictable
circumstances such as being late for work or sleeping on the job you
can have similar attacks on something as complicated as a file system,
like leaving a setuid program around for a while accidently (did
anyone walk away with a copy of the shadow file while that program was
there?)

If we can posit a completely uncorruptible file system then hey, I'll
agree with you. And as I mentioned before, let's just store the
passwords in the clear in an unreadable file.

The other problem of course is that all I need to do is photograph
your lock to have compromised your security and there's no way for you
to know if your lock has been photographed, that's another flaw in
the analogy.

I claim you'd be better off spending your money (guards cost money,
no?) on a better door and lock rather than having to worry about the
door, the lock and the guard too now.

	-Barry Shein, ||Encore||