What should the password/security/userinfo/login system include?

Leslie Mikesell les at chinet.chi.il.us
Sat Dec 9 16:34:33 AEST 1989


In article <1236 at ispi.UUCP> jbayer at ispi.UUCP (Jonathan Bayer) writes:

>>I want logging of *all* keystrokes during a failing attempt at logging
>>in.

>This is not a good idea.  If someone unauthorized sees this log file
>they would have a fairly good idea of some of the passwords on the
>system.

If they are written to a file that can only be read by root, why
should I worry about that?  If someone can already get root permissions
why would they want to know any other passwords?

>Remember, a lot of failed login attempts are due to typing
>mistakes and (sometimes) bad phone connections.  In these cases the user
>id's may be correct, or possibly one character off, and the same goes
>for the passwords.

Indeed, and when that person calls me and asks why they can't get in
to the system, I'd like to be able to tell them.  One aspect of security
is to keep everyone happy enough that they don't *want* to damage the
system.  In that vein, I'd personally like to strangle the person who
invented automatic password aging.  My input to that "your password
has expired - choose a new one" prompt (which usually comes after I
notice an automated login script has been making long-distance calls
and failing every 10 minutes for a day or two) invariably contains
at least one predictable four-letter word.  It's a good thing all the
machines that have done that to me have been out of my reach...

Les Mikesell
  les at chinet.chi.il.us



More information about the Comp.unix.wizards mailing list