ts@cup.portal.com (Tim W Smith) (12/04/90)
Why does this system insist that it knows better than I do what passwords should be used on *MY* machine? This is most annoying. I have an account that I want to set the password for to the single letter 'a'. The stupid thing is not even consistent! It will let me easily create an account with no password, which is a much bigger security problem than what I want to do! Am I going to have to resort to editing the encrypted password myself? Tim Smith
kherron@ms.uky.edu (Kenneth Herron) (12/04/90)
Tim, Did you know that they make coffee with all the caffeine taken out? Try some, I think you'll feel better. >Why does this system insist that it knows better than I do what passwords >should be used on *MY* machine? This is most annoying. I have an account >that I want to set the password for to the single letter 'a'. It's called security. I don't know about your site, but some sites have to protect against breakins, and that means users have to use reasonable passwords, not stupid ones like "a". If your site is secure against breakins then you just replace the console getty with a shell and avoid the whole login process. Or replace passwd with /bin/true and avoid password checking. >The stupid thing is not even consistent! It will let me easily create an >account with no password, which is a much bigger security problem than what I >want to do! If this is so easy, why put a stupid one-letter password on the account at all? Don't say "security," it WON'T be secure. >Am I going to have to resort to editing the encrypted password >myself? Yeah, you go do that. -- Kenneth Herron kherron@ms.uky.edu University of Kentucky (606) 257-2975 Department of Mathematics "Never trust gimmicky gadgets" -- The Doctor
ts@cup.portal.com (Tim W Smith) (12/06/90)
> It's called security. I don't know about your site, but some sites have > to protect against breakins, and that means users have to use reasonable > passwords, not stupid ones like "a". I'm not trying to do this as a user. I'm trying to do this as root. I fear that I did not make this clear in my original posting, as I have received several email suggestions that I try to set the password while logged in as root. >>The stupid thing is not even consistent! It will let me easily create an >>account with no password, which is a much bigger security problem than what I >>want to do! > >If this is so easy, why put a stupid one-letter password on the account >at all? Don't say "security," it WON'T be secure. Some things seem to insist on passwords. For example, I've seen FTP have trouble dealing with an account with no password. No doubt I did something wrong when I installed it. I don't care. It works better with a password, so I want to put a password on my FTP test account. In general, when I encounter something that wants a password, but for which I would prefer not to use a password, if the thing shows any reluctance to work with no password, I use "a" as the password. It's easy to remember and I'm consistent: I do this on all machines, so I don't have to remember anything. I *KNOW* this sucks from a security point of view. I'm not trying to have security. For example, my network consists of two machines sitting in my office. There are no outside connections. The entire reason this network exists is so that I can test the ethernet driver I am implementing. My main point is that root should be able to do whatever stupid things root wants to. The machine can warn root that root is being stupid, but root should be able to go ahead and be an idiot. Tim Smith
jon@hitachi.uucp (Jon Ryshpan) (12/12/90)
In article <36600@cup.portal.com> ts@cup.portal.com (Tim W Smith) writes: >> It's called security. I don't know about your site, but some sites have >> to protect against breakins, and that means users have to use reasonable >> passwords, not stupid ones like "a". SysV Unix (at least Interactive) allows you to create a password without numerics or special chars for root or a system account at system initialization, but it won't allow a user account to have this kind of password. Explain that! Jonathan Ryshpan <...!uunet!hitachi!jon>
kherron@ms.uky.edu (Kenneth Herron) (12/12/90)
jon@hitachi.uucp (Jon Ryshpan) writes: >In article <36600@cup.portal.com> ts@cup.portal.com (Tim W Smith) writes: No, actually I wrote this paragraph >>> It's called security. I don't know about your site, but some sites have >>> to protect against breakins, and that means users have to use reasonable >>> passwords, not stupid ones like "a". >SysV Unix (at least Interactive) allows you to create a password >without numerics or special chars for root or a system account at >system initialization, but it won't allow a user account to have >this kind of password. >Explain that! I just rlogin'ed to a machine running AT&T SysV/386 3.2.1 and, as root, was able to apply the password "a" to a previously-unpassworded user account. Had I logged into this account and then tried to change its password, I presume I would have had to pick something more complex. We don't have a system loaded with Interactive (or SCO, for that matter) around here but I assume they're similar in that root can put any password on any account but that other users must pick something reasonable. If this is not the case, then I, personally, do not give a damn. The point of my original posting was this: If you're going to use passwords AT ALL then why go with a silly, unsecure one? -- Kenneth Herron kherron@ms.uky.edu University of Kentucky (606) 257-2975 Department of Mathematics I just proved Fermat's last theorem, but .signatures can only be four lines.
les@chinet.chi.il.us (Leslie Mikesell) (12/13/90)
In article <662@hitachi.uucp> jon@hitachi.UUCP (Jon Ryshpan) writes: >SysV Unix (at least Interactive) allows you to create a password >without numerics or special chars for root or a system account at >system initialization, but it won't allow a user account to have >this kind of password. >Explain that! It's who is doing it, not the account that is being given the password that makes the difference. As usual, root is allowed to do anything he wants. If you are logged in as root you can give any user a password without the check for content. Les Mikesell les@chinet.chi.il.us
allbery@NCoast.ORG (Brandon S. Allbery KB8JRR) (12/14/90)
As quoted from <662@hitachi.uucp> by jon@hitachi.uucp (Jon Ryshpan): +--------------- | In article <36600@cup.portal.com> ts@cup.portal.com (Tim W Smith) writes: | >> It's called security. I don't know about your site, but some sites have | >> to protect against breakins, and that means users have to use reasonable | >> passwords, not stupid ones like "a". | | SysV Unix (at least Interactive) allows you to create a password | without numerics or special chars for root or a system account at | system initialization, but it won't allow a user account to have | this kind of password. | | Explain that! +--------------- System V assumes the superuser knows what he's doing. Possibly incorrect, but hardcoding the requirements into passwd is no substitute for teaching these fledgling sysadmins how to administer a system. This is the same kind of muddy thinking that leads to "security through obscurity" braindamage. ++Brandon -- Me: Brandon S. Allbery VHF/UHF: KB8JRR on 220, 2m, 440 Internet: allbery@NCoast.ORG Packet: KB8JRR @ WA8BXN America OnLine: KB8JRR AMPR: KB8JRR.AmPR.ORG [44.70.4.88] uunet!usenet.ins.cwru.edu!ncoast!allbery Delphi: ALLBERY
fitz@wang.com (Tom Fitzgerald) (12/22/90)
kherron@ms.uky.edu (Kenneth Herron) writes: > The point of my original posting was this: If you're going to use > passwords AT ALL then why go with a silly, unsecure one? 1) Because you want to let people FTP into your system; and FTP insists on having a password for a user account. (In some implementations of ftpd, anonymous ftp is broken). 2) Because your Unix prompts for a password even if the password is blank, and you want to set up anonymous UUCP. (Some implementations of UUCP have trouble sending blank lines in the chat script). The long-term solution for both of these is to fix the software, but sometimes you have to get some work done while you're waiting for the fixed software to arrive. --- Tom Fitzgerald Wang Labs fitz@wang.com 1-508-967-5278 Lowell MA, USA ...!uunet!wang!fitz