Re: virulence of the recent virus


Guy Harris (auspex!guy@uunet.uu.net)
7 Nov 88 18:11:52 GMT


>As a system maintainer, the two best things you can do to increase
>your ability to sleep at night are:
>
> * enable password aging

In an article in the October 1984 AT&T Bell Laboratories Technical
Journal - "UNIX Operating System Security", F. T. Grampp and R. H.
Morris - some doubt is expressed as to whether password aging really
should help system administrators sleep better at night:

        (Description of how password aging works)

        Four things are wrong here. First, picking good passwords,
        while not very difficult, does require a little thought, and the
        surprise that comes just at login time is likely to preclude
        this. There is no hard evidence to support this conjecture, but
        it is a fact that the most incredibly silly passwords tend to be
        found on systems equipped with password aging.

        Second, the user who discovers that the new password is unsound
        or compromised cannot change it within the week without help
        from the system administrator. (This is a characteristic of
        implementations such as the System V one, which, once you've
        been forced to change your password, don't let you change it
        back for a week; of course, if you *can* change it back
        immediately, aging is pretty much advisory - gh)

        Third, the feature only forces people to toggle back and forth
        between two passwords. This is not a great gain in security,
        especially if it encourages the use of less-than-ideal
        passwords. (At an AT&T site, one person told me that it was
        common to add "0" to the end of their password, and toggle it
        between "0" and "1" whenever you were forced to change your
        password - gh)

        Fourth, as implemented, the date and the lifetime of a password
        is encoded, not encrypted, just after the encrypted password in
        the password file. It is easy to write a program that scans a
        password file and prints out a list of abandoned accounts,
        together with the length of time each account has been unused.
        Whether this is a horror or a blessing depends on your point of
        view.

>The second of these is the more useful, but both are needed in
>conjunction to close a lot of holes in Unix. This particular one requires
>that the user specify a password with complex characters in it,
>either non-alphabetic, or numeric mixed with alphabetic and of
>at least a certain length (10 characters seems like a good size).

Except that UNIX systems tend to pay attention only to the first 8
characters of the password.



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT