Password security - Another idea
John F Carr
jfc at athena.mit.edu
Thu Jan 5 12:10:41 AEST 1989
In article <4523 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>Can we assume that before we make exotic changes like shadow passwords
>we can make simple changes (some Unix's already have these) to the
>passwd changing programs like:
[a list of 4 common suggestions like no dictionary words/username]
> 5. Finally, will educate users about how to choose a good
> password
I think this alone is both necessary and sufficient for security. I see no
reason to believe that a user who is inclined to choose "easy" passwords (i.e.
chosen from a small, predictable fraction of all legal passwords) will stop
doing so when restrictions are applied. He will just have to choose from a
different set of strings. On the other hand, an educated user will choose
"good" passwords with current, unrestricted systems.
(As long as we are talking of what makes an "easy" password, I know of a
system that compares old & new passwords to make sure than no number in the
new password is the same as a number in the old +/- 1. It also checks the
new password and refuses to allow any three letter month abbreviation ("jan",
"feb",...) or the current year as a substring.)
--
John Carr "When they turn the pages of history,
jfc at Athena.mit.edu When these days have passed long ago,
bloom-beacon! Will they read of us with sadness
athena.mit.edu!jfc For the seeds that we let grow?" --Neil Peart
More information about the Comp.unix.wizards
mailing list