Xref: utzoo sci.crypt:1416 comp.unix.wizards:13671 news.sysadmin:1993
Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!husc6!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Subject: Re: password security
Message-ID: <4469@xenna.Encore.COM>
Date: 23 Dec 88 17:47:21 GMT
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <259@gloom.UUCP> <4444@xenna.Encore.COM> <1115@actnyc.UUCP>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 51
In-reply-to: prh@actnyc.UUCP's message of 21 Dec 88 21:41:32 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


From: prh@actnyc.UUCP (Paul R. Haas)
>In article <4444@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes:
>>The average secretary I know is bright enough to understand rules like
>>"use two short words with some upper-case letters and/or digits thrown
>>in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very
>>hard to guess, very easy to remember, next...

>Give a thousand secretaries that same set of instructions and you will
>get far less than a thousand different passwords.  Sort them in order
>of frequency and try them all on whatever system you are trying to
>crack.  You certainly won't be able to break all the accounts, but you
>will get a few.

Is this based on *anything*? Or just a wild guess, sounds utterly
baseless to me. You honestly think if I told 1000 people to:

	choose two short words separated by a punctuation character
	and mix some upper-lower case into the words

I would frequently get the exact same result from different people?

Gads, and what might that result be? The world of human psychology
awaits your discovery! (the only exception I can imagine is that if
you gave an example they'd all use the example, but other than that,
you can check for that easily enough.)

>If people are allowed to create their own passwords, there should not be
>a way to try ten thousand different passwords on each account with out
>triggering some alarm.

I doubt you can ever achieve this as someone only needs access to your
encryption algorithm.

>If security is really important it may be usefull to put the shadow
>password file on a separate server machine.  The server machine should be
>physically and electronically remote so that the only requests it
>services are "check password/username", "add password/username",
>"remove password/username" and "changepassword
>newpassword/oldpassword/username".  This implies that backups and restores
>have to be done manually.  A logical migration path to a secure password
>server is to use a shadow password file which is normally only accessable
>through a small well defined interface.

Unfortunately you now have to trust your network (eg. that I can't
send "password ok" messages from a different system.)

It's a hard problem, merely adding layers of complexity is not a
particularly compelling approach. That's my whole poing.

	-Barry Shein, ||Encore||