Xref: utzoo sci.crypt:1420 comp.unix.wizards:13676 news.sysadmin:1998
Path: utzoo!attcan!uunet!peregrine!elroy!ames!ucsd!rutgers!att!ulysses!andante!alice!debra
From: debra@alice.UUCP (Paul De Bra)
Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin
Subject: Re: password security
Message-ID: <8594@alice.UUCP>
Date: 23 Dec 88 21:20:07 GMT
References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <259@gloom.UUCP> <5005@b-tech.ann-arbor.mi.us> <5835@saturn.ucsc.edu>
Reply-To: debra@alice.UUCP ()
Organization: AT&T, Bell Labs
Lines: 24

In article <5835@saturn.ucsc.edu> haynes@ucscc.UCSC.EDU (Jim Haynes) writes:
}In article <5005@b-tech.ann-arbor.mi.us> zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) writes:
}>The simple solution seems to be to force users to use some non alpha
}>character somewhere in the middle of their passwords.  Users then tend 
}>to use a combination of two words which prevents the dictionary search.
}
}the 4.3-tahoe-BSD version of passwd seems to do this.  At least the last
}time I logged into a tahoe system and tried to change my password it
}wouldn't rest until I had put a non-alphabetic character into it.
}Had the same experience on a Convex machine.
}
Requiring the use of a non-alphanumeric character is not at all sufficient.
Many people react to this by just putting a special character (usually ".")
in front of their old password...

Now, if you start by forcing users to put the non alphanumeric char somewhere
in the middle of the password this would no longer work, but users will still
come up with passwords that are a lot easier to guess than zXk.4;ur...

Paul.
-- 
------------------------------------------------------
|debra@research.att.com   | uunet!research!debra     |
------------------------------------------------------