whh@pbhya.PacBell.COM (Wilson Heydt) (12/21/88)
There has been a lot of discussion lately about enforcing better password choices by users. I have a modest suggestion . . . Why not set up a a small daemon that tries to break passowrds and reports-- by mail--to the user and the system administrator that the password has been broken. Not what the password is--the user knows that, just how long it took to break. If the same users are getting their passwords broken quickly, then the administrator can have a talk with the user about how to pick better passwords. If they aren't being broken, then the users are probably making good choices. The complaint about this scheme will be that the cracking program provides an example to others of How To Do It. I think this argument fails on two grounds. First, as has been often enough pointed out, the attackers already *know* how this is done--you are not telling them anything new. Secondly, the nature of the program will provide clues about what kinds of passwords are being avoided on a given system. This second point may be partially true, but if the cracker knows what kind of passwords are being avoided locally. However, if the cracker has gotten that far into the system, that knowledge is probably already useless, save as a curiosty. On the positive side, I think such a program can serve to gently educate users about better passwords far more effectively than jumping up and down and screaming at them. In addition, you will only have to deal with those users who are in the habit of picking poor passwords--and not irritating those that already pick good ones. --Hal ========================================================================= Hal Heydt | "Hafnium plus Holmium is Analyst, Pacific*Bell | one-point-five, I think." 415-645-7708 | --Dr. Jane Robinson {att,bellcore,sun,ames,pyramid}!pacbell!pbhya!whh