Password choices
Root Boy Jim
rbj at nav.icst.nbs.gov
Wed Jul 20 03:53:13 AEST 1988
? From: thad at cup.portal.com
? The following is something pertinent to your question regarding selection
? of passwords. Because it IS of general interest, I'm posting it; don't
? know if there ever was a followup, but the suggestions contained herein
? are good advice nonetheless.
NBS also produced a password recommendation report, but I don't know
what the number is or how to get it. Perhaps the following message was
partially derived from it's input. I have a few comments on various parts:
? DDN-MGT-BULLETIN 18 NETWORK INFO CENTER for
? 13 Jan 1984 DCA DDN Program Mgmt Office
? (415) 859-3695 NIC at SRI-NIC
[quoted in part]
? - All unsuccessful log-in attempts (Server TELNET, Server FTP,
? regular log-in, etc.) should be logged and periodically
? reviewed. If the machine is attended by an operator, the
? operator should be notified. A notice of unsuccessful attempts
? should be published to the account user at the time of the
? next successful log-in.
Note: DO NOT log the attempted password! At least not to a file which is
readable by casual users! Remember, superusers have fumble fingers too,
and your log is likely to be filled with legitimate trivial permutations
of the real passwords as well as random attempts to break in. For example,
if your root password is `superman', what would do you think a regular
user would try if he saw `supeman' and `supermam' in the log?
? - Auto-disconnect should occur after no more than three unsuccess-
? ful log-in attempts. This is regardless of the means of
? accessing the machine.
A more fiendish approach is to set a flag after three attempts, and allow
additional logins/passwords to be entered, but reject them even if valid.
One must type a ^D to restart login, but the cracker doesn't know this.
Other approaches have been to disable an account after repeated failures
to log in. I am glad to see this recommendation missing. Suppose I don't
like Fred. I make him unpopular with the sysadmins by intentionally
attempting to log on as him and giving the wrong password.
(Root Boy) Jim Cottrell <rbj at icst-cmr.arpa>
National Bureau of Standards
Flamer's Hotline: (301) 975-5688
The opinions expressed are solely my own
and do not reflect NBS policy or agreement
Careful with that VAX Eugene!
More information about the Comp.unix.questions
mailing list