Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-lcc!ames!mailrus!cwjcc!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <4602@xenna.Encore.COM>
Date: 6 Jan 89 22:41:45 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <274@ultb.UUCP>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 27
In-reply-to: jal3495@ultb.UUCP's message of 3 Jan 89 19:32:45 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


From: jal3495@ultb.UUCP (Jeff Leyser)
>The encryption techology currently used is adequate.  What is not
>adequate are the users.  The recent Internet worm proves this.
>The author of the worm didn't really 'break' the encryption on
>passwords, he just looked for 'obvious' passwords, and he found more
>than a few.

GET NEW USERS...ok, ok...I know...

The humorous thing about this oft-repeated line of reasoning is that
"obvious" passwords were only tried AFTER THE WORM HAD BROKEN INTO
YOUR SYSTEM! To try to propagate to other systems. And it wasn't all
that successful when compared to the other major methods of attack
used (the bug in sendmail, the evil finger DAEMON as the papers called
it and .rhosts files.) Attacking passwd files was its last resort when
all that failed, which apparently wasn't very often.

It really is like buying a better lock for the front door because the
thieves keep breaking in through the glass...

It shouldn't be that hard to have the password changing program nudge
people towards better password choices so the rest of the argument
("to get users to avoid obvious passwords...may be next to
impossible") seems unfounded founded.

	-Barry Shein, ||Encore||