Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!agate!helios.ee.lbl.gov!nosc!logicon.arpa!Makey
From: Makey@LOGICON.ARPA (Jeff Makey)
Newsgroups: comp.unix.questions
Subject: Re: /etc/passwd consolidation
Keywords: password security
Message-ID: <368@logicon.arpa>
Date: 3 Mar 89 20:29:13 GMT
References: <7078@thorin.cs.unc.edu>
Organization: Logicon, Inc., San Diego, CA
Lines: 22

In article <7078@thorin.cs.unc.edu> hamilton@harrison.cs.unc.edu (Johnny Hamilton) writes:
>        Optimally, this utility would distribute the encoded password
>        so that our programs that search for easy-to-break passwords would
>        only have to work on one encryption for each user.

Of course, this also means that *their* (the bad guys') programs that
search for easy-to-guess (and not-so-easy-to-guess) passwords would
only have to work on one encryption for each user.  Actually, the only
place you would have to run your guesser is at the password server
node, since you would know that any password guessed there would be on
all the other machines as well.  The bad guys would know this too,
naturally.

I hope you have taken into consideration the security risks of using
the same password on more than one machine, since this must be weighed
against the convenience of this scheme.

                           :: Jeff Makey

Department of Tautological Pleonasms and Superfluous Redundancies Department
    Disclaimer: Logicon doesn't even know we're running news.
    Internet: Makey@LOGICON.ARPA    UUCP: {nosc,ucsd}!logicon.arpa!Makey