Path: utzoo!attcan!uunet!lll-winken!ames!mailrus!csd4.milw.wisc.edu!astieber
From: astieber@csd4.milw.wisc.edu (Anthony J Stieber)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <356@csd4.milw.wisc.edu>
Date: 12 Jan 89 05:38:52 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <6634@killer.DALLAS.TX.US> <674@ihnet.ATT.COM> <8705@bloom-beacon.MIT.EDU> <9326@smoke.BRL.MIL> <329@csd4.milw.wisc.edu> <244@ibd.BRL.MIL>
Sender: news@csd4.milw.wisc.edu
Reply-To: astieber@csd4.milw.wisc.edu (Anthony J Stieber)
Organization: University of Wisconsin-Milwaukee
Lines: 44

In article <244@ibd.BRL.MIL> heilpern@brl.arpa (Mark A. Heilpern (IBD) <heilpern>) writes:
>In article <329@csd4.milw.wisc.edu> astieber@csd4.milw.wisc.edu (Anthony J Stieber) writes:
>.>How about this:
>.>	Each account has several passwords only one is active
>.>	at a time.  On each login the next password (or phrase)
>.>	is activated.  An alternative would be that at logout
>.>	a password would randomly be chossen and message
>.>	refering to that password would be printed for the
>.>	user.  The advantage to this is that a user would
>.>	know the moment they tried to login that some one
>.>	has used their account (unless all passwords were
>.>	broken).
>
>
>Too many people are complaining that their users can not remember 
>'complicated' passwords like "bad!memory", so how can we expect them to
>remember what the computer said (eluded) their next password will be?
>Also, when it came time to change the password, would he have to change
>all of them, or just the one last used?

	  Well, if remembering is a problem, the first method
	can be used.  Each password is used in turn.  The
	passwords themselves might be an easily rememberd
	phrase.  One problem that I see now is that this
	will only keep out intruders over the long term.
	Most problems occur however, with the very first
	illicit login.

	  For maximum security each password would have
	to be changed one at a time on each login.  If
	this were not done, an intruder could just
	successfully login once then attempt to change
	each password one at a time.  A less secure
	way would be to require all passwords to be
	changed by typing them all as a single string 
	to replace them with another string containing
	the new passwords.  The latter method would be
	the easiest mnemonicly.

	  Of course all of this could be worthless.
	  ...comments?
--
Tony Stieber	astieber@csd4.milw.wisc.edu
Postscript programmers do it on the sheets.