dnelson@ddsw1.UUCP (Douglas Nelson) (02/23/88)
I still stand on my idea that people should be aware of how easily their systems can be pentrated by users using the program I previously posted. Why not just add a few lines to your system and have it require the users to have at least one numeric digit in their password? I know several other companies that 'pass out' the user's passwords, but I can see that this mumbo-jumbo random password is only going to make people write them down on a piece of paper that ends up in a wallet, purse, or top desk drawer. I also don't think that simply instructing the users to use a numeric digit in their password is enough to create a lasting impression. I think the best, and perhaps most simple once implimented is to re-write the source, which will check and require the user to have at least the one numberic digit. I doubt most users would have a problem with having a password of something like "shoe999" or something that THEY can set and thus easily remember, instead of "sJ2s&$kT!" or something. Also, I know it is available on most other operating systems, so perhaps it is also available on Unix-type systems, a 'password expiration date' so to say. This will force users to change thier passwords occasionally. A fellow Usenet user left me mail that said something that I thought could explain some of the flame over my posting of that program: "Perhaps some of the flame that is coming your way due to the posting of that program is because the simplicity of how easily their security can be breached has hit a little closer to home than they feel comfortable with." As always, I welcome any questions/suggestions/threats via mail. ------------------ Douglas Nelson dnelson@ddsw1.UUCP ------------------
gwyn@brl-smoke.ARPA (Doug Gwyn ) (02/24/88)
In article <772@ddsw1.UUCP> dnelson@ddsw1.UUCP (Douglas Nelson) writes: >Also, I know it is available on most other operating systems, so perhaps it >is also available on Unix-type systems, a 'password expiration date' so to >say. This will force users to change thier passwords occasionally. This is a standard feature on UNIX System V (it is enabled on a per-account basis). But it's not really a good idea under normal circumstances -- if a person has chosen a good, secure password, it is folly to force them to change it. Eventually they will quit being careful and just pick a lousy password, affording an intruder an improved entry opportunity.
jk3k+@andrew.cmu.edu (Joseph G. Keane) (02/25/88)
It seems that the main result of `password expiration dates' is to cause users to switch between two (or more) passwords. --Joe