60-second timeout in Unix login
Robert Cray
robert at stevie.cs.unlv.edu
Thu Jan 21 10:00:00 AEST 1988
In article <10578 at brl-adm.ARPA> bzs at bu-cs.bu.EDU (Barry Shein) writes:
>Even password aging, which seems to be based upon similar logic (?) I
>assume relies on the assumption that the would be cracker is "closing
>in" so changing it throws him/her off course. I thought we all rely on
>the massive combinatorics (assuming good passwd choice) involved?
>Changing the passwd doesn't change that.
>
I think password aging assumes that many users will have poorly chosen
passwords, and if a cracker gets it, it will only be for a short time
until it is changed next. I've run ``password guessing'' programs on
a number of varying machines, typically 40% will have normal words as
passwords. I hear that in the next (4.7?) version of vms, it will
remember the last 6 passwords so that a->b->a (which is what I always do)
will be more painful. Another (bad) thing that vms can be set up to do
is log ``intrusion'' records. It will log the username *and* password that
was attempted, so if you log on over a noisy line, and have 3 failed
attempts, maybe *thats* the time to change your password.
--robert
More information about the Comp.unix.wizards
mailing list