chris@umcp-cs.UUCP (06/18/83)
Ok, yes, now that you mention it, I do recall something I read on
choosing passwords. I've changed mine so that no dictionary search,
nor any friends-or-relatives-names search, will crack it. I think
I like Alan S. Watt's method of taking a favorite phrase and using
the first (or whatever) letter of each word. Easy to remember,
and usually nonsensical without knowing the phrase. Perhaps it's
also a good idea to change one character in a bizarre way (use the
numeric value or something) so that no phrase-testing program will
break it?
- Chris
--
UUCP: {seismo,allegra,brl-bmd}!umcp-cs!chris
CSNet: chris@umcp-cs
ARPA: chris.umcp-cs@UDel-Relaysmk@linus.UUCP (Steven M. Kramer) (06/18/83)
Morrie Gasser (linus!bccvax!mg) in 1975 wrot a password generator
that provides the user with pronouncable passwds. I always
thought that was a little awkward (although much safer than what
we have now), but from the schemes I hear, it is far superior.
I will be putting this into LINUS IV when I can (a year?).
--
--steve kramer
{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!smk (UUCP)
linus!smk@mitre-bedford (ARPA)bill@utastro.UUCP (06/20/83)
Another way to improve security of passwords is to use capital letters for some of the letters. You can also use (some) control codes -- experiment to see which ones are valid. (Obviously you can't use \r or \n). Bill Jefferys Astronomy Dept University of Texas Austin TX 78712 (...ucbvax!nbires!ut-ngp!utastro!bill) (...decvax!eagle!ut-ngp!utastro!bill) ( utastro!bill@utexas-11)
sater@vu44.UUCP (06/20/83)
About using a passwd generator I have the following to add. If the random number generator inside it has a too small period you get into amusing trouble. See Password Security: A Case History by Robert Morris and Ken Thompson as distributed with the standard V7 documentation. The relevant passage starts An anecdote How long can one prevent to reinvent the wheel ? Hans van Staveren Vrije Universiteit Amsterdam, Holland
dee@cca.UUCP (06/24/83)
How about hacking passwd so that when you change your password it first checks that you are really changing it and that your new password is not in a database of old passwords. If you flunk that test, it does nothing. If you pass, it changes your password and adds your old one to the database. In time, combined with a few complexity and length checks, it should make passwords pretty secure. If passwords went stale and stopped working if you didn't change them once every N months, it would be even better. Donald Eastlake dee@cca-unit decvax!cca!dee
gwyn%brl-vld@sri-unix.UUCP (06/24/83)
From: Doug Gwyn (VLD/VMB) <gwyn@brl-vld> UNIX System III and later do have a password aging feature, implemented upward-compatibly so old passwords could continue to be used while time limits are added to /etc/password. Passwords can also continue without aging on an individual basis if management so chooses.