Better passwords from users
Wilson Heydt
whh at pbhya.PacBell.COM
Wed Dec 21 10:45:04 AEST 1988
There has been a lot of discussion lately about enforcing better password
choices by users. I have a modest suggestion . . .
Why not set up a a small daemon that tries to break passowrds and reports--
by mail--to the user and the system administrator that the password has been
broken. Not what the password is--the user knows that, just how long it took
to break. If the same users are getting their passwords broken quickly,
then the administrator can have a talk with the user about how to pick better
passwords. If they aren't being broken, then the users are probably making
good choices.
The complaint about this scheme will be that the cracking program provides
an example to others of How To Do It. I think this argument fails on two
grounds. First, as has been often enough pointed out, the attackers already
*know* how this is done--you are not telling them anything new. Secondly,
the nature of the program will provide clues about what kinds of passwords
are being avoided on a given system. This second point may be partially
true, but if the cracker knows what kind of passwords are being avoided
locally. However, if the cracker has gotten that far into the system, that
knowledge is probably already useless, save as a curiosty.
On the positive side, I think such a program can serve to gently educate
users about better passwords far more effectively than jumping up and
down and screaming at them. In addition, you will only have to deal with
those users who are in the habit of picking poor passwords--and not
irritating those that already pick good ones.
--Hal
=========================================================================
Hal Heydt | "Hafnium plus Holmium is
Analyst, Pacific*Bell | one-point-five, I think."
415-645-7708 | --Dr. Jane Robinson
{att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh
More information about the Comp.unix.wizards
mailing list