Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!pasteur!ucbvax!ulysses!smb
From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin)
Newsgroups: comp.unix.wizards
Subject: Re: UNIX security and passwords
Message-ID: <11059@ulysses.homer.nj.att.com>
Date: 3 Jan 89 22:07:46 GMT
References: <23731@pprg.unm.edu>
Organization: AT&T Bell Laboratories, Murray Hill
Lines: 13

In article <23731@pprg.unm.edu>, kurt@pprg.unm.edu (Kurt Zeilenga) writes:
> I've been managing computers for about eight years and have seen
> hundreds of security incidents first hand.  Of them, I can
> only remember one or two that actually tried to use a program
> to guess passwords.

Three possible answers:  (a) you've seen an atypical sample; (b) I've
seen an atypical sample, because I've seen many such incidents; or (c) just
because you haven't seen them doesn't mean they haven't happened....
The other things you cite are certainly problems that need fixing.  So
are crackable passwords.  I don't think anyone else in this discussion is
advocating that we stick with the current schemes, i.e., neither a private
password file nor a beefed-up passwd command.