Password security - Another idea

Doug Gwyn gwyn at smoke.BRL.MIL
Mon Jan 2 15:03:13 AEST 1989


In article <4523 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>Can we assume that before we make exotic changes like shadow passwords
>we can make simple changes (some Unix's already have these) to the
>passwd changing programs like: ...

NO!  The "easy-to-guess password" checks are not sufficient, and
the accompanying restrictions are a royal pain in the user's ass.
It has been argued that they result in REDUCED security!

Exposing the encrypted password for anyone to see is FOLLY; it was
barely excusable in the first place and is inexcusable now.  The
shadow password file (which is NOT "exotic"; in fact JHU/BRL PDP-11
UNIX had something of the sort many years ago) has already been
implemented; so long as UNIX sticks to the general modified DES
encryption scheme, hiding the encrypted passwords is a necessary
security measure.



More information about the Comp.unix.wizards mailing list