Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uunet!wuarchive!texbell!ficc!peter From: peter@ficc.uu.net (Peter da Silva) Newsgroups: comp.unix.wizards Subject: Re: What should the password/security/userinfo/login system include? Message-ID: <7311@ficc.uu.net> Date: 14 Dec 89 19:45:40 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <7284@ficc.uu.net> <10665@unix.UUCP> Reply-To: peter@ficc.uu.net (Peter da Silva) Distribution: usa Organization: Xenix Support, FICC Lines: 37 In article <10665@unix.UUCP> ram@attcan.UUCP (Richard Meesters) writes: > In article <7284@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: > > Password aging makes it more likely that a user will use the same password > > on a large number of machines, simply because it increases the number of > > things that user needs to remember. > Huh? Maybe I'm not reading this right. Users will naturally gravitate to > using the same password on multiple systems, IMHO, for the same reasons you > have listed above. If the user is conscientious, then they will use different passwords up to some limit. The more frequently they have to switch to a new password, the fewer machines they'll be willing to have unique passwords on. If the user is not conscientious, they'll use the same password everywhere and minimise the effect of aging by using (say) "secret1" then "secret2", or toggle between two passwords, or otherwise work around the password aging. So, at the best password aging doesn't improve security. At worst, it reduces it. When the system makes *me* change, I then change back to the old one. And change passwords on my schedule. > > * Stripping everything from the password file but name, password, > > user id, and home. > This looks a lot like what 386 unix already does with /etc/shadow and the > password file. Nah, this puts *more* stuff in the password file. All the old stuff, plus password aging. -- `-_-' Peter da Silva. +1 713 274 5180. . 'U` Also or . "It was just dumb luck that Unix managed to break through the Stupidity Barrier and become popular in spite of its inherent elegance." -- gavin@krypton.sgi.com