What should the password/security/userinfo/login system include?

Bill Vermillion bill at bilver.UUCP
Tue Dec 12 02:05:29 AEST 1989 

In article <1989Dec9.053433.5407 at chinet.chi.il.us> les at chinet.chi.il.us (Leslie Mikesell) writes:
>In article <1236 at ispi.UUCP> jbayer at ispi.UUCP (Jonathan Bayer) writes:
>
>>>I want logging of *all* keystrokes during a failing attempt at logging
>>>in.
>
>>This is not a good idea.  If someone unauthorized sees this log file
>>they would have a fairly good idea of some of the passwords on the
>>system.
>
>If they are written to a file that can only be read by root, why
>should I worry about that?  If someone can already get root permissions
>why would they want to know any other passwords?

I have noticed that when people choose a password, the next time they choose a
password it is along the same line - eg, names, cars, things, ...

If there is an unscrupulous SA, and failed attempts at logging are recorded,
there is a good chance that person will be able to quickly figure these user
acounts on other machines, that perhaps this root user doesn't have access
too. 

Often users have the same p'word on more than one system.  I am guilty of that
on one site that I has 11 machines I am semi-responsible for.  (There are 6
people who have access to the list of root passwords for these machines.).
They could get to any accounts, but I wouldn't like them to be able to see
what I type for a password for my own login on those machines, as it would
give them an indication of how I choose passwords.  (Human nature being what
it is we usually build passwords that we can remember.).

>Indeed, and when that person calls me and asks why they can't get in
>to the system, I'd like to be able to tell them.

What's wrong with just noting that user xxxx was rejected for bad password?

>...  In that vein, I'd personally like to strangle the person who
>in invented automatic password aging.

I'll agree on that point.

>Les Mikesell
(P.S. Les - I did get the disks last year, but about 5 attempts to mail you
acknowledgement and thanks - got bounced).

bill

-- 
Bill Vermillion - UUCP: {uiucuxc,hoptoad,petsd}!peora!tarpit!bilver!bill
                      : bill at bilver.UUCP

More information about the Comp.unix.wizards mailing list