System Security
Peter Jeremy
peter at stca77.stc.oz
Thu Dec 8 06:29:49 AEST 1988
In the wake of thr RTM worm, there has been much discussion on system
security in various newsgroups. One item that caught my eye (sorry,
I can't remember the reference) suggested running a daemon that checked
for trivial passwords, and mailing the user and sysadm when one was found.
This sounded like a good idea, until I thought it through. The core of
such a daemon is a password _cracker_. Whilst the daemon itself should
be innocuous (subject to bugs :-), the source would make an excellent
basis for a worm.
Question for all you wizards out there: Is such a program "legitimate"?
What should I do with the source (and presumably the executable) to prevent
misuse? Or is such a program such a trivial exercise that it is not
worth protecting?
The other logical approach is an improved PASSWD(1) program that prevents
users using trivial passwords. Does anyone have such a beast? What is
a good (quick*) way of deciding whether a password is trivial?
--
Peter Jeremy (VK2PJ) peter at stca77.stc.oz
Alcatel-STC Australia ...!uunet!stca77.stc.oz!peter
41 Mandible St peter%stca77.stc.oz at uunet.UU.NET
ALEXANDRIA NSW 2015
More information about the Comp.unix.wizards
mailing list