Better passwords from users

Wilson Heydt whh at pbhya.PacBell.COM
Wed Dec 21 10:45:04 AEST 1988


There has been a lot of discussion lately about enforcing better password
choices by users.  I have a modest suggestion . . .

Why not set up a a small daemon that tries to break passowrds and reports--
by mail--to the user and the system administrator that the password has been
broken.  Not what the password is--the user knows that, just how long it took
to break.  If the same users are getting their passwords broken quickly,
then the administrator can have a talk with the user about how to pick better
passwords.  If they aren't being broken, then the users are probably making 
good choices.

The complaint about this scheme will be that the cracking program provides
an example to others of How To Do It.  I think this argument fails on two
grounds.  First, as has been often enough pointed out, the attackers already
*know* how this is done--you are not telling them anything new.  Secondly,
the nature of the program will provide clues about what kinds of passwords
are being avoided on a given system.  This second point may be partially
true, but if the cracker knows what kind of passwords are being avoided
locally.  However, if the cracker has gotten that far into the system, that
knowledge is probably already useless, save as a curiosty.

On the positive side, I think such a program can serve to gently educate 
users about better passwords far more effectively than jumping up and
down and screaming at them.  In addition, you will only have to deal with
those users who are in the habit of picking poor passwords--and not 
irritating those that already pick good ones.

    --Hal

=========================================================================
  Hal Heydt                             |    "Hafnium plus Holmium is
  Analyst, Pacific*Bell                 |     one-point-five, I think."
  415-645-7708                          |       --Dr. Jane Robinson
  {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh   



More information about the Comp.unix.wizards mailing list