good passwords

PAAAAAR%CALSTATE.BITNET at cunyvm.cuny.edu PAAAAAR%CALSTATE.BITNET at cunyvm.cuny.edu
Wed Jul 13 22:54:56 AEST 1988


Received: by CALSTATE via BITNet for PAAAAAR at CALSTATE (CSUMailer (1.2));
          Sat, 9 Jul 88 10:30:21 PDT
Received: by BYUADMIN (Mailer X1.25) id 8879; Sat, 09 Jul 88 11:28:12 MDT
Date:     Fri, 8 Jul 88 14:51:35 EDT
Reply-To: INFO-UNIX at BRL.ARPA
Sender:   I-UNIX at TCSVM
From:     roberts at CMR.ICST.NBS.GOV
Subject:  good passwords
Comments: To: info-unix at BRL.ARPA
To:       PAAAAAR at CCS.CSUSCC.CALSTATE.EDU


Careful analysis shows that the best possible password is "k75LL43j". If
you want to have the greatest available security, you should change your
password to this value right away.

<For those who didn't get it, I'm JUST KIDDING. Don't do it. (See if you
can figure out why.)>
                                                 John Roberts
                                                 roberts at cmr.icst.nbs.gov


===== Reply from Richard Botting <PAAAAAR> ===========================

You can increase the security of passwords fairly simply by expanding the
character set involved.  A randomly placed '@' or '.' is a way to stop
anyone trying to crack your account - who has never used a system with
non-alpha-numeric passwords.

Which Unix flavours (if any) permit control codes in passwords?
If you can the occasional CTRL/H may foil many 'amateur' attempts.

It is importatn for these strategies not be known - so why am I posting them!

Well if averybody starts including a strange character, then I can make my
accounts safe by not having one...

Another way to improve security is to use a dictionary, opened at random
to select two shortish words as your new passwd.

To protect novice students you can include 'passwd' in their .profile/.login
files in their home directories.  This means that they have to think about
not changing it until they learn hoe to edit their .profile/.login files...

It is not difficult by the way to hack the source code for login.c so
that
    (1) only N attempts can be made (N close to 3 is good)
    (2) attemots that fail are printed on the console (paper is not erasable)
    (3) The N+1 th attempt logs in the person into as a 'guest'
                on out system the shell for guests (bona fide and accidental)
                is a hyper simple BBS with the abillity to send and read mail.
                (use ful for people who forget their password).

I did thses things and have had the system running 24 hours a day
with phone number published nationally and locally - with nobody
yet managing to crack the system.

Here is a final experimental idea.  Replace pass *words* by pass *phrases*.
In other words the user remembers 'Shall I compare the to a summers day'
and types SIcttasd.
THis looked good until I read one of St. Isaak Asimov mystery tales that
has this type of password figured out by a waiter.

Any other ideas????
Dick Botting
PAAAAAR at CCS.CSUSCC.CALSTATE(doc-dick)
paaaaar at calstate.bitnet
PAAAAAR%CALSTATE.BITNET@{depends on the phase of the moon}.EDU
Dept Comp Sci., CSUSB, 5500 State Univ Pkway, San Bernardino CA 92407
Disclaimer: What with my brain, my fingers, this Mac, the PDP, the CSU CYBERS
            Transmission errors, your machine, terminal eyes and brain..
            I probably didn't think what you thought you just read any way!



More information about the Comp.unix.questions mailing list