Henry Spencer (firstname.lastname@example.org)
8 Nov 88 22:48:53 GMT
In article <email@example.com> firstname.lastname@example.org (Stuart Cracraft) writes:
>As a system maintainer, the two best things you can do to increase
>your ability to sleep at night are:
> * enable password aging
> * enable complex passwords
Both are mistakes. See "UNIX Operating System Security", by F.T. Grampp
and R.H. Morris (the elder!) in the Bell Labs Technical Journal, Oct 1984.
>... If you enable aging, for example, once every
>month or two, every user who logs into your system will be required
>to specify a new password.
On the spur of the moment, which means that he often will make up a poor
password, or simply alternate between two passwords. "The goal is
laudable. The algorithm, however, is bad, and the implementation, from
a security standpoint, is just awful..." (Grampp&Morris)
We thought about this for some time, and concluded that it is better to
gently remind users that their password is getting a trifle old, rather
than forcing them to change it.
>...This particular one requires
>that the user specify a password with complex characters in it,
>either non-alphabetic, or numeric mixed with alphabetic and of
>at least a certain length (10 characters seems like a good size).
Things like this may be useful in moderation; for example, preventing
overly-short passwords is certainly a good thing. However, it's very
hard to construct a simple algorithm that reliably ensures good passwords.
You may be discouraging users from choosing inventive passwords by putting
arbitrary barriers in their paths. Grampp&Morris describe a successful
attack on systems using the above algorithm: passwords consisting of the
20 most common female first names, followed by a single digit, let them
onto every single one of the several dozen machines they surveyed.
(Incidentally, Unix truncates passwords to 8 characters, so requiring
10 is pointless.)
-- The Earth is our mother. | Henry Spencer at U of Toronto Zoology Our nine months are up. |uunet!attcan!utzoo!henry email@example.com
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT