[Lynn R Grant: Password Aging]

Dennis Paul Roth roth at macom1.UUCP
Fri Jan 13 10:42:37 AEST 1989 

In article <edsJH550eM1010iOvbg at amdahl.uts.amdahl.com>, rickf at uts.amdahl.com (Rick Francis) writes:
> 
> But there is a difference between a password and a key.  If I get a
> quick look at your house key without your knowledge, the security of
> your house hasn't been compromised.  But if I see the "key" to your
> computer account...
	... you've got to be one of the select few who will recognise the
significance of what you've seen. Either you're an outsider trying to
break into my system or and insider betraying the organization.
One part of the security of my system has been compromised. I'll
concede you that. But one of the points I've been trying to make is that
computer security is more than just passwords. Now that you've
seen my password you've got to get access to my computer. There's
more to access control than just passwords. An insider already knows
how access the system or can find out how. There is little or no defense
against betrayal by those who have been trusted. We can punish
those that we catch to deter others from doing the same. The outsider needs 
more than just a password to break a system where real security
exists.

The only thing you need to rob my house is the key to my front door and
the only thing you need to get into some low security computers is a login
and password. You need more than the key to the front door to rob The 
National Gallery of Art and you more than a password to get at a secure
system. Security measures should be proportional to the value of whats
being defended.

Your original point was that if you give users a non-trivial password
some dummies will write it down. I would like to add that if you give
users trivial passwords some dummies will write them down. Further, no
matter how the passwords are selected, some dummies will write their 
login and password on a piece of paper and tape it to their terminal. 

But, if you use non-trivial passwords you make it much harder for an
outsider to get in. He's got to be damn lucky to get a peek at the 
piece of paper the careless user has written the password on and
he has to know what he's seen.
-- 
Dennis Roth     ...grebyn!macom1!roth          Centel Federal Systems
                     roth at macom1.UUCP          11400 Commerce Park Drive
                                               Reston, VA 22091-1506
                                               703-758-7000

More information about the Comp.unix.wizards mailing list