What should the password/security/userinfo/login system include?

[Larry Wall]

In article <7311 at ficc.uu.net> peter at ficc.uu.net (Peter da Silva) writes:
: In article <10665 at unix.UUCP> ram at attcan.UUCP (Richard Meesters) writes:
: > In article <7284 at ficc.uu.net>, peter at ficc.uu.net (Peter da Silva) writes:
: > > Password aging makes it more likely that a user will use the same password
: > > on a large number of machines, simply because it increases the number of
: > > things that user needs to remember.
: 
: > Huh?  Maybe I'm not reading this right.  Users will naturally gravitate to
: > using the same password on multiple systems, IMHO, for the same reasons you
: > have listed above.
: 
: If the user is conscientious, then they will use different passwords up
: to some limit. The more frequently they have to switch to a new password,
: the fewer machines they'll be willing to have unique passwords on.

We FORCE people to have the same password everywhere.  Even if some users
are conscientious here, it's the non-conscientious ones that are the weak
link, so your argument doesn't convince me.  Once a cracker gets onto one
of our machines, he can get to any of the others anyway, so why have
different passwords?

: If the user is not conscientious, they'll use the same password everywhere
: and minimise the effect of aging by using (say) "secret1" then "secret2",
: or toggle between two passwords, or otherwise work around the password aging.

We disallow both of these.  The new password must be sufficiently different
from the old one.  You can't EVER reuse a password on our system, period.
There's about 27 different kinds of bad password we disallow.  We don't
tell them what makes a good password since there are many ways to make
a good, memorable password, but eventually they figure out their own way,
and that's more secure than if we give them a single way to do it.

: So, at the best password aging doesn't improve security. At worst, it
: reduces it.

Password aging definitely improves security here.  I don't like it any
more than the users do, since I have to change their forgotten passwords
more often than they forget them (me being one and them being many).
But passwords do have a habit of leaking out from non-conscientious
users occasionally, so we have to punish the innocent with the guilty
in order to get the level of security we require.

: When the system makes *me* change, I then change back to the old one. And
: change passwords on my schedule.

You get a whole week's warning by mail here so you aren't suddenly forced
to think up a new password at an importune moment.

: > > 	* Stripping everything from the password file but name, password,
: > > 	  user id, and home.
: 
: > This looks a lot like what 386 unix already does with /etc/shadow and the
: > password file.
: 
: Nah, this puts *more* stuff in the password file. All the old stuff, plus
: password aging.

We have no extra stuff in our password file for aging.  The age in weeks,
modulo 64, is encoded into one of the salt characters (perturbed by the
first two characters of the login name so that salts are still randomly
distributed; also, the other salt character is still totally random.)

Nifty, eh?

By the way, another reason for having the same password everywhere is that
we force a person's password entry to have the same salt in every password
file.  If you let people have the same password on different machines but
use different salts (and if the salts are different, how can you prevent
people from using the same password anyway?) then your salt protection
is weakened.  Suppose you have your password out there with 40 different
salts.  Someone only has to encrypt using 1/40th of the salts to get a hit
on your password.

Larry Wall
lwall at jpl-devvax.jpl.nasa.gov