Path: utzoo!attcan!uunet!lll-winken!ames!haven!grebyn!macom1!roth From: roth@macom1.UUCP (Dennis Paul Roth) Newsgroups: comp.unix.wizards Subject: Re: [Lynn R Grant: Password Aging] Message-ID: <4786@macom1.UUCP> Date: 13 Jan 89 00:42:37 GMT References: <6@minya.UUCP> <4783@macom1.UUCP> Organization: CENTEL Federal Systems, Reston, VA. 22091-1506 Lines: 42 In article , rickf@uts.amdahl.com (Rick Francis) writes: > > But there is a difference between a password and a key. If I get a > quick look at your house key without your knowledge, the security of > your house hasn't been compromised. But if I see the "key" to your > computer account... ... you've got to be one of the select few who will recognise the significance of what you've seen. Either you're an outsider trying to break into my system or and insider betraying the organization. One part of the security of my system has been compromised. I'll concede you that. But one of the points I've been trying to make is that computer security is more than just passwords. Now that you've seen my password you've got to get access to my computer. There's more to access control than just passwords. An insider already knows how access the system or can find out how. There is little or no defense against betrayal by those who have been trusted. We can punish those that we catch to deter others from doing the same. The outsider needs more than just a password to break a system where real security exists. The only thing you need to rob my house is the key to my front door and the only thing you need to get into some low security computers is a login and password. You need more than the key to the front door to rob The National Gallery of Art and you more than a password to get at a secure system. Security measures should be proportional to the value of whats being defended. Your original point was that if you give users a non-trivial password some dummies will write it down. I would like to add that if you give users trivial passwords some dummies will write them down. Further, no matter how the passwords are selected, some dummies will write their login and password on a piece of paper and tape it to their terminal. But, if you use non-trivial passwords you make it much harder for an outsider to get in. He's got to be damn lucky to get a peek at the piece of paper the careless user has written the password on and he has to know what he's seen. -- Dennis Roth ...grebyn!macom1!roth Centel Federal Systems roth@macom1.UUCP 11400 Commerce Park Drive Reston, VA 22091-1506 703-758-7000