Password security - Another idea

[Mark A. Heilpern]

In article <4545 at xenna.Encore.COM> bzs at Encore.COM (Barry Shein) writes:
>
>Re: using a .case file which shows the lower/upper case pattern for
>a password....
>
>But this means that login will now accept the dictionary word in lower
>case? Seems to reopen that attack (ie. going thru the dictionary) as
>login is correcting case for me as I go.

The time a dictionary search THRU THE LOGIN PROGRAM would be astronomical.
The danger in the ability of a dictionary search is in the user writing a C
program which uses the crypt() command, etc.

>
>Worse, it relies on the unreadability of these .case files in every
>user's directory, I don't think that's a good thing to rely on, if
>users are sloppy about password choosing and too lazy to remember the
>case shifts why do you believe they'll be careful about protecting
>this .case file? Besides, holes to read unreadable files are a little
>too easy to come by (also, I assume that the length of the file tells
>me how many chars in your passwd?)

1) The login program should NOT allow entry if the .case file is readable,
and since /bin/login is setuid to root, I THINK .case's attributes could
be unreadable to the user.
2) There is nothing wrong with a .case file with, say, 10 characters when
the password is only seven characters long! Additionally, the user does not
even have to be aware of what his case's are! /bin/passwd could randomly
create a new one when evoked, maybe making all of them 10 or 15 characters.

[ Allthough I don't know of a way ] if there is a way to make a file 
invisible to /bin/ls, the user would not have to be aware of the file's
existance.

Have a nice Day :)

-- 
 |\/|         |
 |  |   _     |<
/    \_(_(_)\_/ \______