Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!usc!brutus.cs.uiuc.edu!apple!ames!dftsrv!hq!mitch From: mitch@hq.af.mil (Mitchell..Wright) Newsgroups: comp.unix.wizards Subject: Re: What should the password... Message-ID: Date: 15 Dec 89 15:41:32 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <7284@ficc.uu.net> <10665@unix.UUCP> <7311@ficc.uu.net> <6602@jpl-devvax.JPL.NASA.GOV> Sender: mitch@hq.af.mil Organization: Air Force HQ, The Pentagon Lines: 58 In-reply-to: lwall@jpl-devvax.JPL.NASA.GOV's message of 15 Dec 89 01:02:15 GMT > Newsgroups: comp.unix.wizards > Date: 15 Dec 89 01:02:15 GMT lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: >We FORCE people to have the same password everywhere. Even if some users >[...] Once a cracker gets onto one of our machines, he can get to any of >the others anyway, so why have different passwords? > Having different passwords would keep the cracker off of your other machines. It is the use of '.rhosts', etc... that allows this. In my case, you could have any one of my passwords, but it wouldn't help you gain access to my accounts. >[...] >By the way, another reason for having the same password everywhere is that >we force a person's password entry to have the same salt in every password >file. If you let people have the same password on different machines but >use different salts (and if the salts are different, how can you prevent >people from using the same password anyway?) then your salt protection >is weakened. Suppose you have your password out there with 40 different >salts. Someone only has to encrypt using 1/40th of the salts to get a hit >on your password. > I agree that it is difficult (if not impossible) to get users to use different passwords on different systems. It should be emphasized that it increases their personal security as well as the systems. I have heard the argument that "It is too hard to remember X number of passords". Well, it's not - you just have to set up a system for yourself. A system I used for a while was to take an acronym (ie. nasa) and combine it with a non-alphanumeric (ie. !) and append the hostname (first ~3 char). For instance, my password on Podunk.edu might be "cuw*Podu". Your acronyms can be as obscure as you want. Using the hostname is probably not a good thing to use to vary your passwords since a cracker could probably figure that pattern out. So using this concept one could make the password "P[cuw]u", to make the pattern less obvious or use a non-obvious varying part "cuw!07" where the "07" part might mean the 7th choice on your terminal emulators calling directory amongst other things. Of course the real strength in this password scheme is not that the password are different, but that an acronym can be a very good password and a good acronym will only be "cracked" by an exhaustive search. ..mitch -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mitch Wright Currently under contract to: P.O. Box 46135 USAF 7th CG, DOWL Washington DC 20050 ARPA: mitch@hq.af.mil gretzky@unison.larc.nasa.gov UUCP: uunet!hq.af.mil!mitch AT&T: (202) 697-3774 BLDG: Pentagon ROOM: 1D159 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-