mitch@hq.af.mil (Mitchell..Wright) (12/15/89)
> Newsgroups: comp.unix.wizards > Date: 15 Dec 89 01:02:15 GMT lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: >We FORCE people to have the same password everywhere. Even if some users >[...] Once a cracker gets onto one of our machines, he can get to any of >the others anyway, so why have different passwords? > Having different passwords would keep the cracker off of your other machines. It is the use of '.rhosts', etc... that allows this. In my case, you could have any one of my passwords, but it wouldn't help you gain access to my accounts. >[...] >By the way, another reason for having the same password everywhere is that >we force a person's password entry to have the same salt in every password >file. If you let people have the same password on different machines but >use different salts (and if the salts are different, how can you prevent >people from using the same password anyway?) then your salt protection >is weakened. Suppose you have your password out there with 40 different >salts. Someone only has to encrypt using 1/40th of the salts to get a hit >on your password. > I agree that it is difficult (if not impossible) to get users to use different passwords on different systems. It should be emphasized that it increases their personal security as well as the systems. I have heard the argument that "It is too hard to remember X number of passords". Well, it's not - you just have to set up a system for yourself. A system I used for a while was to take an acronym (ie. nasa) and combine it with a non-alphanumeric (ie. !) and append the hostname (first ~3 char). For instance, my password on Podunk.edu might be "cuw*Podu". Your acronyms can be as obscure as you want. Using the hostname is probably not a good thing to use to vary your passwords since a cracker could probably figure that pattern out. So using this concept one could make the password "P[cuw]u", to make the pattern less obvious or use a non-obvious varying part "cuw!07" where the "07" part might mean the 7th choice on your terminal emulators calling directory amongst other things. Of course the real strength in this password scheme is not that the password are different, but that an acronym can be a very good password and a good acronym will only be "cracked" by an exhaustive search. ..mitch -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mitch Wright Currently under contract to: P.O. Box 46135 USAF 7th CG, DOWL Washington DC 20050 ARPA: mitch@hq.af.mil gretzky@unison.larc.nasa.gov UUCP: uunet!hq.af.mil!mitch AT&T: (202) 697-3774 BLDG: Pentagon ROOM: 1D159 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ram@attcan.UUCP (Richard Meesters) (12/18/89)
In article <MITCH.89Dec15104132@hq.af.mil>, mitch@hq.af.mil (Mitchell..Wright) writes: > I have heard the argument that "It is too hard to remember X number of > passords". Well, it's not - you just have to set up a system for yourself. A > system I used for a while was to take an acronym (ie. nasa) and combine it > with a non-alphanumeric (ie. !) and append the hostname (first ~3 char). For > instance, my password on Podunk.edu might be "cuw*Podu". Your acronyms can be > as obscure as you want. Using the hostname is probably not a good thing to > use to vary your passwords since a cracker could probably figure that pattern > out. So using this concept one could make the password "P[cuw]u", to make the > pattern less obvious or use a non-obvious varying part "cuw!07" where the "07" > part might mean the 7th choice on your terminal emulators calling directory > amongst other things. Of course the real strength in this password scheme is > not that the password are different, but that an acronym can be a very good > password and a good acronym will only be "cracked" by an exhaustive search. All this is a wonderful way of thinking up a password, but what happens when it comes to password aging? If you have to change your password as a result of aging, how do you change the pattern. Do you have to come up with a new acronym? If so, you may find that it's just as hard to remember as any other way that people can come up with. I figure that how you set up your password schemes should depend on how much security you want to build into your systems. On my personal systems, I dont use, nor do I want to be forced to use, password aging. I don't think I have any information that needs to be necessarily secured. Unfortunately, as you increase the level of security, you are going to increase the difficulty of accessing the system for your users. I just can't see any other way around it. Regards, Richard Meesters
richard@aiai.ed.ac.uk (Richard Tobin) (12/19/89)
In article <MITCH.89Dec15104132@hq.af.mil> mitch@hq.af.mil (Mitchell..Wright) writes: >I have heard the argument that "It is too hard to remember X number of >passords". Well, it's not - you just have to set up a system for yourself. And there we have it. A fine argument against requiring users to have different passwords or change them often. Maybe your "system" is obscure enough. Well, I doubt it. But even if it is, what about the next user's? -- Richard PS this isn't a unix issue - I've redirected followups to comp.misc -- Richard Tobin, JANET: R.Tobin@uk.ac.ed AI Applications Institute, ARPA: R.Tobin%uk.ac.ed@nsfnet-relay.ac.uk Edinburgh University. UUCP: ...!ukc!ed.ac.uk!R.Tobin