Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!pacbell!att!cuuxb!dlm
From: dlm@cuuxb.ATT.COM (Netnews Administrator)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <2338@cuuxb.ATT.COM>
Date: 4 Jan 89 04:34:43 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <4537@xenna.Encore.COM> <4547@xenna.Encore.COM>
Reply-To: dlm@cuuxb.UUCP (Dennis L. Mumaugh)
Organization: ATT Data Systems Group, Lisle, Ill.
Lines: 60

In article <4547@xenna.Encore.COM> bzs@Encore.COM  (Barry  Shein)
writes: more comments trying to prove a shadow password file is a
"bad idea".

As I seem to have triggered this latest debate, I have  a  couple
of points:

1).  Shadow  password  files  contain  the  passwords  encrypted.
Hence  offer  better  protection  from  cracking  on  a  properly
administered machine.  They do give an illusion of more  security
but in no case do they give less security.

2).  Shadow  passwords  have  been  around  since  1976  since  I
implemented  them at NSA after Ken and Morris major told us about
their  activities.   Pass  phrases   were   implemented   shortly
thereafter by either Dan Edwards or Howie Weiss.

3).  Password choice validation has been  independently  invented
by several people and I worked on a scheme in 1983.

4).    Automatic   password   generation   has   been    invented
independently  several times.  Human factors tend to make it fail
to work.

5).  I still find customers who have no root password.  Or, whose
root password for November was turk3y or in June was b1rds [think
Baltimore and baseball].

6).  All the ideas stated are good.  All of them combined improve
security.  Short  of  a kernel managed password system, we should
try to merge them.

7).  The key space for the password is woefully small compared to
the  space  available.  Because  of the getty nonsense about case
senstive terminals [some still around - IBM  3270  for  example],
capital  letters  are  still  not  useable  in  a password.  Pass
phrases are the best single improvement to  the  password  scheme
around  that  hasn't  been  implemented by a major vendor such as
Berkeley or ATT.

8).  Relying on the work factor for an encrytion  for  the  major
protection  is  foolish.  There  will  be  a cracker who is smart
enough to figure out how to beat the encrytion.  Remember that if
/bin/login or /bin/passwd is publicly readable on your system one
can reverse engineer the whole  protection  system.  After  which
optimize,  optimize.  A serious cracker will have serious help, a
non-serious one will try elsewhere.

9).  If one can become sys, one  can  become  bin.  If  once  can
become  bin,  one  can  become  root.  In many systems if one can
become uucp one can become  sys.  If  one  can  become  lp  [line
printer  spooler] one has the keys to the kingdom.  Trojan horses
provide less work than password cracking -- they  are  just  less
certain.

Finally, Human factors will still govern all of the above points.
Non-technical people still will insist on having their own way.
-- 
=Dennis L. Mumaugh
 Lisle, IL       ...!{att,lll-crg}!cuuxb!dlm  OR cuuxb!dlm@arpa.att.com