[net.unix] password aging

kdq@pthya.UUCP ( Kip Quackenbush) (03/26/84)

In the name of false security, or lack thereof,
what do most admin types find as an acceptable
length of time before one's password expires?

Thanks in advance
Kip Quackenbush
Pacific Bell
{...}!dual!pthya!kdq

salmi@dicomed.UUCP (John Salmi) (07/06/85)

I understand that SysV offers a password aging scheme.  Does 4.x BSD support
anything similar?  If no, has anyone done a hack to allow password aging?

Please respond via email, and many advance thanks!

ian@utcs.UUCP (Ian F. Darwin) (07/18/85)

In article <527@dicomed.UUCP> salmi@dicomed.UUCP (John Salmi) writes:
>I understand that SysV offers a password aging scheme.  Does 4.x BSD support
>anything similar?  If no, has anyone done a hack to allow password aging?

I presume the reason that you're interested is to make your system
more secure. Some forms of password again can instead make it less so.
Before you copy the System V password aging stuff to 4BSD, I
recommend that you read the only significant discussion of
the topic that I'm aware of. It's contained in the following
paper in the AT&T Bell Labs Tech Journal.

%A F. T. Grampp
%A R. H. Morris
%T UNIX Operating System Security
%J BLTJ
%V 63
%N 8
%D October, 1984
%P 1649
%X Computing systems that are easy to access and that facilitate communication
with other systems are by their nature difficult to secure. Most often,
though, the level of security that is actually achieved is far below what it could
be. This is due to many factors, the most important of which are the
knowledge and attitudes of the administrators and users of such systems. We discuss
here some of the security hazards of the UNIX operating system, and we
suggest ways to protect against them, in the hope that an educated community
of users will lead to a level of protection that is stronger, but far more
importantly, that represents a reasonable and thoughtful balance between
security and ease of use of the system. We will not construct parallel examples
for other systems, but we encourage readers to do so for themselves.''

alan@drivax.UUCP (Alan Fargusson) (07/23/85)

> In article <527@dicomed.UUCP> salmi@dicomed.UUCP (John Salmi) writes:
> >I understand that SysV offers a password aging scheme.  Does 4.x BSD support
> >anything similar?  If no, has anyone done a hack to allow password aging?

I seem to have missed the original article, but I would like to say that
we have been using the password aging stuff here for over a year, and I
think it is real poor. Bad things happen when the the date is wrong when
the system comes up, which is real likely since System V uses the time
of day clock in a VAX in a different way then VMS, and the DEC diagnostics
run under VMS. Real life senario: DEC comes in and runs diagnostics, sets
date under VMS, reboots UNIX date becomes next December, passwords age, all
the news expiers, I come in and fix the date, passwords age again (sounds like
a bug, why should they age in reverse?).

Also the new restrictions on what can be used for a password are ridiculous.
They prevent me from using passwords that are hard for other people to type
but are easy for me to type. Everyone that I know just puts a number on
the front of the password that they want anyway, which defeats the restrictions.
-- 

Alan Fargusson.

{ ihnp4, amdahl, mot }!drivax!alan

lasse@daab.UUCP (Lars Hammarstrand) (08/05/85)

In article <194@drivax.UUCP> alan@drivax.UUCP (Alan Fargusson) writes:
>> In article <527@dicomed.UUCP> salmi@dicomed.UUCP (John Salmi) writes:
>> >I understand that SysV offers a password aging scheme.  Does 4.x BSD support
>> >anything similar?  If no, has anyone done a hack to allow password aging?
>
>I seem to have missed the original article, but I would like to say that
>we have been using the password aging stuff here for over a year, and I
>think it is real poor. Bad things happen when the the date is wrong when
>the system comes up, which is real likely since System V uses the time
>of day clock in a VAX in a different way then VMS, and the DEC diagnostics
>run under VMS. Real life senario: DEC comes in and runs diagnostics, sets
>date under VMS, reboots UNIX date becomes next December, passwords age, all
>the news expiers, I come in and fix the date, passwords age again (sounds like
>a bug, why should they age in reverse?).
>
>Also the new restrictions on what can be used for a password are ridiculous.
>They prevent me from using passwords that are hard for other people to type
>but are easy for me to type. Everyone that I know just puts a number on
>the front of the password that they want anyway, which defeats the restrictions.
>-- 
>
>Alan Fargusson.
>
>{ ihnp4, amdahl, mot }!drivax!alan

I'm sad to here that you have problems with your VAX because we have been using
the passwd aging system (UniPlus+ UNIX System V.2 on a Cromemco) for about 6
months now, and there have been no problems at all exept when you don't set the
rigth date when you are in "Singel user mode" starting "Multi user mode" and 
then you have to change passwd before you can login to your system. After that,
of cource, you must go down to "Singel User mode" to correct the date (It's bad
practice to change it in "Multi user mode" because of the accounting system).
(But you can never change your passwd for root to often)

	My name: Lars Hammarstrand.
	My company: Datorisering AB,  SWEDEN.

	UUCP:	{seismo,decvax,philabs}!mcvax,ukc,unido!enea!daab!lasse
	ARPA:	decvax!mcvax!enea!daab!lasse@berkley.arpa