Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!ncar!gatech!bloom-beacon!athena.mit.edu!jfc
From: jfc@athena.mit.edu (John F Carr)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <8613@bloom-beacon.MIT.EDU>
Date: 5 Jan 89 02:10:41 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <2271@pompeii.cs.swarthmore.edu> <4523@xenna.Encore.COM>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: jfc@athena.mit.edu (John F Carr)
Organization: Massachusetts Institute of Technology
Lines: 30

In article <4523@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes:

>Can we assume that before we make exotic changes like shadow passwords
>we can make simple changes (some Unix's already have these) to the
>passwd changing programs like:

 [a list of 4 common suggestions like no dictionary words/username]


>	5. Finally, will educate users about how to choose a good
>	password 

I think this alone is both necessary and sufficient for security.  I see no 
reason to believe that a user who is inclined to choose "easy" passwords (i.e.
chosen from a small, predictable fraction of all legal passwords) will stop
doing so when restrictions are applied.  He will just have to choose from a
different set of strings.  On the other hand, an educated user will choose
"good" passwords with current, unrestricted systems.

(As long as we are talking of what makes an "easy" password, I know of a
system that compares old & new passwords to make sure than no number in the
new password is the same as a number in the old +/- 1.  It also checks the
new password and refuses to allow any three letter month abbreviation ("jan",
"feb",...) or the current year as a substring.)

--
   John Carr             "When they turn the pages of history,
   jfc@Athena.mit.edu     When these days have passed long ago,
   bloom-beacon!          Will they read of us with sadness
   athena.mit.edu!jfc     For the seeds that we let grow?"  --Neil Peart