password security

Barry Shein bzs at Encore.COM
Sat Dec 24 03:47:21 AEST 1988 

From: prh at actnyc.UUCP (Paul R. Haas)
>In article <4444 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>>The average secretary I know is bright enough to understand rules like
>>"use two short words with some upper-case letters and/or digits thrown
>>in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very
>>hard to guess, very easy to remember, next...

>Give a thousand secretaries that same set of instructions and you will
>get far less than a thousand different passwords.  Sort them in order
>of frequency and try them all on whatever system you are trying to
>crack.  You certainly won't be able to break all the accounts, but you
>will get a few.

Is this based on *anything*? Or just a wild guess, sounds utterly
baseless to me. You honestly think if I told 1000 people to:

	choose two short words separated by a punctuation character
	and mix some upper-lower case into the words

I would frequently get the exact same result from different people?

Gads, and what might that result be? The world of human psychology
awaits your discovery! (the only exception I can imagine is that if
you gave an example they'd all use the example, but other than that,
you can check for that easily enough.)

>If people are allowed to create their own passwords, there should not be
>a way to try ten thousand different passwords on each account with out
>triggering some alarm.

I doubt you can ever achieve this as someone only needs access to your
encryption algorithm.

>If security is really important it may be usefull to put the shadow
>password file on a separate server machine.  The server machine should be
>physically and electronically remote so that the only requests it
>services are "check password/username", "add password/username",
>"remove password/username" and "changepassword
>newpassword/oldpassword/username".  This implies that backups and restores
>have to be done manually.  A logical migration path to a secure password
>server is to use a shadow password file which is normally only accessable
>through a small well defined interface.

Unfortunately you now have to trust your network (eg. that I can't
send "password ok" messages from a different system.)

It's a hard problem, merely adding layers of complexity is not a
particularly compelling approach. That's my whole poing.

	-Barry Shein, ||Encore||

More information about the Comp.unix.wizards mailing list