rogue@cellar.UUCP (Rache McGregor) (06/25/91)
mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: > I do not buy the idea that easy-to-guess passwords "deserve" to be stolen, > nor that it is legitimate to run a password guesser "to see if the system > is secure." Other tests, possibly, but not something that will give you > direct access to someone else's password. > There is a person at my worksite (Novell Netware, alas) who needed me to do something in his account. When I asked him to log me in, he said, "Oh, you can do it yourself, my password is 'password.'" I looked at him with soem mixture of shock, incredulity, and trying to stifle a guffaw, and told him that if anyone broke into his account, he DID deserve it. > Even the Free Software Foundation notices if you call "crypt" more than a > few times (as when running a password guesser). And what do they do then? [In the case of the ridiculous user above, I set his password to expire the next day, and made sure he was forced to enter something else. I just hope it wasn't his name.] Rachel K. McGregor : Let the fire be your friend : Call the a/k/a Rogue Winter : And the sea rock you gently : Cellar at rogue@cellar.uucp : Let the moon light your way : 215/336-9503 {tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free : BBS & Usenet