Password security - Another idea
Barry Shein
bzs at Encore.COM
Fri Dec 30 10:32:42 AEST 1988
Ok, this is getting ridiculous...
Can we assume that before we make exotic changes like shadow passwords
we can make simple changes (some Unix's already have these) to the
passwd changing programs like:
1. Some mixture of upper case, lower case, digits and/or
punctuations.
2. No dictionary words (even mixed case.)
3. Can't use login name, system name and a bunch of other
easily checked words or patterns (3 digits, dash, 4 digits.)
4. Must be eight chars (or 7 if you're not that paranoid.)
5. Finally, will educate users about how to choose a good
password (maybe we can group-write a document about just
that, that would be a useful outcome of this conversation.)
This is trivial and can be enforced relatively easily without changing
all sorts of system software, only one program needs to be modified.
Something has to be tacit, every time someone says that eight chars
from a 64 or 100 char set should be sufficient someone else jumps up
and says "not if they're all lower-case!", assume when we say "from
100 chars" we mean we'll make it hard to search less, not "from 100
chars or any number less down to one".
And let's let the conversation about more exotic methods (password
aging, shadow password files, anything beyond influencing a reasonable
choice of a good password in the first place which some of us claim is
sufficient) proceed from there instead of going round and round in
circles.
*Think*, people, how in the world can password aging protect against
choosing a word from the dictionary (as one poster just claimed.) I
can crack that looooong before your password ages (unless it ages
every few minutes.)
It's a worthwhile topic, let's not let it degenerate due to
thoughtlessness.
-Barry Shein, ||Encore||
More information about the Comp.unix.wizards
mailing list