random passwords (was Re: Worm...)

Larry McVoy lm at snafu.Sun.COM
Wed Nov 30 12:22:04 AEST 1988


Steve wrote:
>>Let's look at this quantitatively.  There are, more or less, 95
>>printable characters.  We'll subtract 2 for @ and #, which many UNIX
Barry said:
[wonderful]



Jeez.  This sounds awful.  Try this instead, you'll like it better.

Add a field somewhere (/etc/failures?) that records the number of 
failed attempts.  If it reaches some maximum, disallow logins with 
some message like:

	("Possible security risk: %d failed attempts\n", failed)

If the failed number is greater than MAXFAIL/2, then warn the user that
he ought to reset his password (to anything, including what it was).
Resetting would clear the failed field.  Now that I think about it,
you could print out the number of failed attempts to date at login time.
Users would know right away if someone had been beating on their
account.

Wouldn't this be a much easier and more palatable way to solve the problem?

Larry McVoy      (lm%snafu at sun.com)



More information about the Comp.unix.wizards mailing list