a thought about UNIX login security

gwyn%brl-vld at sri-unix.UUCP gwyn%brl-vld at sri-unix.UUCP
Sun Jun 19 03:20:09 AEST 1983


From:      Doug Gwyn (VLD/VMB) <gwyn at brl-vld>

The "passwd" program simply ought to refuse to let one choose a
password that is in the on-line word list (or spelled backward,
etc.), or one that is too short, or in the list of login names,
etc.

The "salt" characters help somewhat, and the time it takes to encrypt
a password is comfortably large.

On BRL UNIX, the encrypted passwords are stored in a protected
file to force all accesses to go through trusted system code.
Three invalid login attempts and you're disconnected.

By a combination of tricks like the above, it should be quite
hard to break into a system.

If guest accounts (anonymous logins etc.) set up a "restricted"
environment then such accounts should pose little danger since
the passwords for other accounts would be inaccessible.
Unfortunately Berkeley has stolen the name "rsh" to mean something
other than the "restricted shell" but that is easy to work around.



More information about the Comp.unix.wizards mailing list