password protection

Barry Shein bzs at Encore.COM
Mon Jan 2 06:05:41 AEST 1989 

From: Kemp at dockmaster.arpa
>    I can't quite parse that last sentence, but I assume you are saying
>"educate users to use mixed-case, digits, and punctuation in their
>8 (or 7) character passwords".  That's a useful idea, but it's not
>sufficient.  Your math is *bogus*.  Entropy has been discussed here a
>few times, but I will beat on it again.

What I'm saying is to consider using password changing programs which
enforce some reasonable policy AND educate users why it's being done
and why not to try and subvert it.

My math isn't bogus, c'mon, look at the straws we're grasping for:

>If you set an army of undergraduates to generating
>zillions of passwords based on your rules (mixed case and punctuation,
>no dictionary words, etc), I would be extremely surprised if you came
>out with as much as 40 bits of information per password.

Army of undergrads? Fine, I am GLAD to admit that my suggestion
(mixedcaseword-punct-mixedcaseword) was not optimal (although I don't
think it's an awful example, for a start), but it does not follow that
there exists no reasonable password choice algorithm (or worse, that
THEREFORE we need some of the other things suggested like shadow pw
files.) You're simply trying to force the hacker to search the whole
space or a very large space.

It's quite possible the correct conclusion is that typed in passwords
are fundamentally hopeless, high security areas do use all those other
non-voluntary expensive methods for a reason I assume (voiceprints,
retinal scanners etc), probably because they reached this conclusion a
long time ago. Given that we're probably chasing a will-o-wisp (ie.  a
method to make textual passwds secure.)

>Again, you miss the point.  As a security issue, password aging is
>virtually orthogonal to password selection.  This has also been explained
>several times here or in RISKS.  Passwords may be obtained illicitly in
>many ways besides cryptanalytic attack, such as listening to your comm
>line or your ethernet, looking over your shoulder, searching your desk
>for scraps of paper, running a password grabber, bribing a system
>administrator, searching your dumpster for punched cards :-), analysing
>the reflections of an invisible laser beam aimed at your keyboard :-) :-),
>etc.  The point is, an unauthorized person has your password and you don't
>know (s)he has it.  How long do you want him/her to have it.  If your
>answer is "a century", that's fine.  On systems with anything of value
>to protect, six months might be a better answer.

Agreed! I don't miss the point, I just wonder if you can really sell
folks on a security approach which limits someone having their
password for "only" 6 months (glork.) I suppose it's better than
nothing, but not much. That's the point, it's not a very good approach
(either you change your password VERY often or stand to have your
password known for whatever the password aging cycle is, months?)

I simply think we're all grasping for straws here and many of the
methods being proposed are not really worthwhile other than perhaps as
friendly suggestions (hey you, change your pw every so often!) It's
just a lot of pap.

	-Barry Shein, ||Encore||

More information about the Comp.unix.wizards mailing list