Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs From: bzs@Encore.COM (Barry Shein) Newsgroups: comp.unix.wizards Subject: Re: password protection Message-ID: <4553@xenna.Encore.COM> Date: 1 Jan 89 20:05:41 GMT References: <17994@adm.BRL.MIL> Organization: Encore Computer Corp, Marlboro, MA Lines: 60 In-reply-to: Kemp@dockmaster.arpa's message of 31 Dec 88 18:50:59 GMT Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun 9 1987 on xenna (berkeley-unix) From: Kemp@dockmaster.arpa > I can't quite parse that last sentence, but I assume you are saying >"educate users to use mixed-case, digits, and punctuation in their >8 (or 7) character passwords". That's a useful idea, but it's not >sufficient. Your math is *bogus*. Entropy has been discussed here a >few times, but I will beat on it again. What I'm saying is to consider using password changing programs which enforce some reasonable policy AND educate users why it's being done and why not to try and subvert it. My math isn't bogus, c'mon, look at the straws we're grasping for: >If you set an army of undergraduates to generating >zillions of passwords based on your rules (mixed case and punctuation, >no dictionary words, etc), I would be extremely surprised if you came >out with as much as 40 bits of information per password. Army of undergrads? Fine, I am GLAD to admit that my suggestion (mixedcaseword-punct-mixedcaseword) was not optimal (although I don't think it's an awful example, for a start), but it does not follow that there exists no reasonable password choice algorithm (or worse, that THEREFORE we need some of the other things suggested like shadow pw files.) You're simply trying to force the hacker to search the whole space or a very large space. It's quite possible the correct conclusion is that typed in passwords are fundamentally hopeless, high security areas do use all those other non-voluntary expensive methods for a reason I assume (voiceprints, retinal scanners etc), probably because they reached this conclusion a long time ago. Given that we're probably chasing a will-o-wisp (ie. a method to make textual passwds secure.) >Again, you miss the point. As a security issue, password aging is >virtually orthogonal to password selection. This has also been explained >several times here or in RISKS. Passwords may be obtained illicitly in >many ways besides cryptanalytic attack, such as listening to your comm >line or your ethernet, looking over your shoulder, searching your desk >for scraps of paper, running a password grabber, bribing a system >administrator, searching your dumpster for punched cards :-), analysing >the reflections of an invisible laser beam aimed at your keyboard :-) :-), >etc. The point is, an unauthorized person has your password and you don't >know (s)he has it. How long do you want him/her to have it. If your >answer is "a century", that's fine. On systems with anything of value >to protect, six months might be a better answer. Agreed! I don't miss the point, I just wonder if you can really sell folks on a security approach which limits someone having their password for "only" 6 months (glork.) I suppose it's better than nothing, but not much. That's the point, it's not a very good approach (either you change your password VERY often or stand to have your password known for whatever the password aging cycle is, months?) I simply think we're all grasping for straws here and many of the methods being proposed are not really worthwhile other than perhaps as friendly suggestions (hey you, change your pw every so often!) It's just a lot of pap. -Barry Shein, ||Encore||