Password security - Another idea
Scott Schwartz
schwartz at cs.swarthmore.edu
Thu Dec 29 05:35:32 AEST 1988
>Hiding something indicates that it is dangerous if revealed. It says,
>basically, that encryption technology is inadequate and cannot be made
>to work, the only reasonable protection is secrecy. Do we honestly
>believe this? Or, worse, do we believe that security is attained by
>layering anything we can think of onto the system?
At least in terms of the current UNIX password scheme, I have the
uncomfortable feeling that it is NOT adequate. I'll bet that
99% of the people reading this have either used or seen a program
that finds a substantial number of passwords on a given system by
encrypting the dictionary against /etc/passwd.
Put it this way: every other part of unix has evolved, why not allow
the password protection scheme to evolve too?
As it happens, I think that Barry has a good point here. I think
one answer is to admit that 8 character passwords (and user id's,
for that matter!) are too small. Someone who knows a lot about
encryption (not me!) should suggest a better number.
--
Scott Schwartz <schwartz at cs.swarthmore.edu> <psuvax1!vu-vlsi!swatsun!schwartz>
More information about the Comp.unix.wizards
mailing list