Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!uxc!uxc.cso.uiuc.edu!kailand!pwolfe
From: pwolfe@kailand.KAI.COM
Newsgroups: comp.sys.sequent
Subject: Re: Password Aging for 4.2BSD (or DYNIX
Message-ID: <2400039@kailand>
Date: 7 Apr 89 15:36:00 GMT
References: <38996@peregrine.peregrine.com>
Lines: 35
Nf-ID: #R:peregrine.peregrine.com:38996:kailand:2400039:000:2027
Nf-From: kailand.KAI.COM!pwolfe    Apr  7 10:36:00 1989


> /* Written by arosen@hawk.ulowell.edu in kailand:comp.sys.sequent */
> VMS tells you when you login "WARNING: Your password expires <date>".
> But, it doesn't force you to change your password if you login after
> it's expired.  If you logout without changing it yourself, you can't
> login again (without talking to your sys admin).  In my opinion, this
> is worse than giving no warning.

The best security system I've used was ACF2 on an IBM/MVS system (No flame
wars, please!).  ACF2 requires much less maintenance than VMS or, if you can
call that security, UNIX.  When your password was close to expiring, you got
warnings, and if you didn't change it in time, the next time you tried to
login it would prompt "Old password:", and "New password:".  You couldn't
login without changing it.  Of course this meant you were forced to come up
with something quickly on the fly (which usually means a bad choice), but that
shouldn't stop you from picking a better one, and changing it again.  Plus,
ACF2 remembers every password you used within the past six months, and
wouldn't let you repeat.

I liked the VMS password generator.  It would give you a list of 10 nonsense
words built out of pronouncable syllables, and let you pick which one you
wanted, or you could opt for another list of 10.  I remember passwords better
if I can pronounce them.  On VMS, the system manager can setup someone's
account so that they MUST use the password generator.  Those who don't have
this set can choose on the own to use it (SET PASSWORD/GENERATE=8 will pick
passwords that are at least 8 characters long).

Of course, ACF2 had a problem where a someone could "lock-out" another user
by trying to guess their password three times.  The account was then disabled
until the division security manager re-enabled it.  VMS only disables the
account from logging in at the terminal where the break-in attempt occurred.
But that's another story.

Patrick Wolfe	(pat@kai.com, {uunet,uiucuxc}!kailand!pat)
System Manager, Kuck and Associates