What should the password...

Mitchell..Wright mitch at hq.af.mil
Sat Dec 16 02:41:32 AEST 1989 

> Newsgroups: comp.unix.wizards
> Date: 15 Dec 89 01:02:15 GMT

lwall at jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:

>We FORCE people to have the same password everywhere.  Even if some users
>[...]  Once a cracker gets onto one of our machines, he can get to any of
>the others anyway, so why have different passwords?
>
Having different passwords would keep the cracker off of your other machines.
It is the use of '.rhosts', etc... that allows this.  In my case, you could
have any one of my passwords, but it wouldn't help you gain access to my
accounts.

>[...]
>By the way, another reason for having the same password everywhere is that
>we force a person's password entry to have the same salt in every password
>file.  If you let people have the same password on different machines but
>use different salts (and if the salts are different, how can you prevent
>people from using the same password anyway?) then your salt protection
>is weakened.  Suppose you have your password out there with 40 different
>salts.  Someone only has to encrypt using 1/40th of the salts to get a hit
>on your password.
>
I agree that it is difficult (if not impossible) to get users to use different
passwords on different systems.  It should be emphasized that it increases
their personal security as well as the systems.

I have heard the argument that "It is too hard to remember X number of
passords".  Well, it's not - you just have to set up a system for yourself.  A
system I used for a while was to take an acronym (ie. nasa) and combine it
with a non-alphanumeric (ie. !) and append the hostname (first ~3 char).  For
instance, my password on Podunk.edu might be "cuw*Podu".  Your acronyms can be
as obscure as you want.  Using the hostname is probably not a good thing to
use to vary your passwords since a cracker could probably figure that pattern
out.  So using this concept one could make the password "P[cuw]u", to make the
pattern less obvious or use a non-obvious varying part "cuw!07" where the "07"
part might mean the 7th choice on your terminal emulators calling directory
amongst other things.  Of course the real strength in this password scheme is
not that the password are different, but that an acronym can be a very good
password and a good acronym will only be "cracked" by an exhaustive search.

..mitch
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mitch Wright 					Currently under contract to:
P.O. Box 46135					     USAF 7th CG, DOWL
Washington DC 20050	

			ARPA:	mitch at hq.af.mil
				gretzky at unison.larc.nasa.gov
			UUCP:	uunet!hq.af.mil!mitch
			AT&T:	(202) 697-3774

			BLDG:	Pentagon
			ROOM:	1D159
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the Comp.unix.wizards mailing list