Path: utzoo!attcan!uunet!lll-winken!ames!pacbell!att!occrsh!occrsh.ATT.COM!scsmo1.UUCP!tim
From: tim@scsmo1.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <2400005@scsmo1.UUCP>
Date: 15 Jan 89 02:59:00 GMT
References: <228@sea375.UUCP>
Lines: 37
Nf-ID: #R:sea375.UUCP:-22800:scsmo1.UUCP:2400005:000:1588
Nf-From: scsmo1.UUCP!tim    Jan 14 20:59:00 1989


The idea of a pass phrase is nice but I'm not going to start hacking
on my system to impliment it until I see some proof that it is better.

Currently on my system I have:
passwords must be at least 6 char.
passwords must have a non alpha char.

using this I have about 400,000 passwords for the typical user.
Must users will pick a password like pencil1.  
They pick a digit (typicaly 1) and a word.
I figure 20,000 words * 20 digit combinations = 400,000 passwords.

Now if I were to use phrases I would bet that at least one passphrase would
be "mary had a little lamb."  If I saw that a user typed "little" it
would be easy to to guess.  I have asked users to come up with a 
pass phrase and most will come up with something predictable. So far
the common ones are "mary had a ..." "Soil Conservation Service" and
"I don't want to type this much"

I think that all it would take to break this approach is to log the
phrases and make users change them weekly.  You would have a nice big
list to crypt for craking purposes.

The only ideas that I have seen that I think will be a great improvment
will change the salt perturb table in a machine independant way.
(like prompt the sysop for a key when setting up or use the serial no.)
Or check the time between keystrrokes.  This won't work over dialup lines
if you set the timeing at work but how about more than one dataset.

I have seen an example of useing a timed passwd() and it works,
I could not get it to accept the correct password and the only one
that could was the one who set it.

-tim@scsmo1.uucp
 tim hogard
 usda-scs