Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!samsung!brutus.cs.uiuc.edu!lll-winken!decwrl!henry.jpl.nasa.gov!elroy.jpl.nasa.gov!jpl-devvax!lwall From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Newsgroups: comp.unix.wizards Subject: Re: What should the password/security/userinfo/login system include? Message-ID: <6602@jpl-devvax.JPL.NASA.GOV> Date: 15 Dec 89 01:02:15 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <7284@ficc.uu.net> <10665@unix.UUCP> <7311@ficc.uu.net> Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) Distribution: usa Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 75 In article <7311@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: : In article <10665@unix.UUCP> ram@attcan.UUCP (Richard Meesters) writes: : > In article <7284@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: : > > Password aging makes it more likely that a user will use the same password : > > on a large number of machines, simply because it increases the number of : > > things that user needs to remember. : : > Huh? Maybe I'm not reading this right. Users will naturally gravitate to : > using the same password on multiple systems, IMHO, for the same reasons you : > have listed above. : : If the user is conscientious, then they will use different passwords up : to some limit. The more frequently they have to switch to a new password, : the fewer machines they'll be willing to have unique passwords on. We FORCE people to have the same password everywhere. Even if some users are conscientious here, it's the non-conscientious ones that are the weak link, so your argument doesn't convince me. Once a cracker gets onto one of our machines, he can get to any of the others anyway, so why have different passwords? : If the user is not conscientious, they'll use the same password everywhere : and minimise the effect of aging by using (say) "secret1" then "secret2", : or toggle between two passwords, or otherwise work around the password aging. We disallow both of these. The new password must be sufficiently different from the old one. You can't EVER reuse a password on our system, period. There's about 27 different kinds of bad password we disallow. We don't tell them what makes a good password since there are many ways to make a good, memorable password, but eventually they figure out their own way, and that's more secure than if we give them a single way to do it. : So, at the best password aging doesn't improve security. At worst, it : reduces it. Password aging definitely improves security here. I don't like it any more than the users do, since I have to change their forgotten passwords more often than they forget them (me being one and them being many). But passwords do have a habit of leaking out from non-conscientious users occasionally, so we have to punish the innocent with the guilty in order to get the level of security we require. : When the system makes *me* change, I then change back to the old one. And : change passwords on my schedule. You get a whole week's warning by mail here so you aren't suddenly forced to think up a new password at an importune moment. : > > * Stripping everything from the password file but name, password, : > > user id, and home. : : > This looks a lot like what 386 unix already does with /etc/shadow and the : > password file. : : Nah, this puts *more* stuff in the password file. All the old stuff, plus : password aging. We have no extra stuff in our password file for aging. The age in weeks, modulo 64, is encoded into one of the salt characters (perturbed by the first two characters of the login name so that salts are still randomly distributed; also, the other salt character is still totally random.) Nifty, eh? By the way, another reason for having the same password everywhere is that we force a person's password entry to have the same salt in every password file. If you let people have the same password on different machines but use different salts (and if the salts are different, how can you prevent people from using the same password anyway?) then your salt protection is weakened. Suppose you have your password out there with 40 different salts. Someone only has to encrypt using 1/40th of the salts to get a hit on your password. Larry Wall lwall@jpl-devvax.jpl.nasa.gov