Re: virulence of the recent virus

Henry Spencer (attcan!utzoo!
8 Nov 88 22:48:53 GMT

In article <> (Stuart Cracraft) writes:
>As a system maintainer, the two best things you can do to increase
>your ability to sleep at night are:
> * enable password aging
> * enable complex passwords

Both are mistakes. See "UNIX Operating System Security", by F.T. Grampp
and R.H. Morris (the elder!) in the Bell Labs Technical Journal, Oct 1984.

>... If you enable aging, for example, once every
>month or two, every user who logs into your system will be required
>to specify a new password.

On the spur of the moment, which means that he often will make up a poor
password, or simply alternate between two passwords. "The goal is
laudable. The algorithm, however, is bad, and the implementation, from
a security standpoint, is just awful..." (Grampp&Morris)

We thought about this for some time, and concluded that it is better to
gently remind users that their password is getting a trifle old, rather
than forcing them to change it.

>...This particular one requires
>that the user specify a password with complex characters in it,
>either non-alphabetic, or numeric mixed with alphabetic and of
>at least a certain length (10 characters seems like a good size).

Things like this may be useful in moderation; for example, preventing
overly-short passwords is certainly a good thing. However, it's very
hard to construct a simple algorithm that reliably ensures good passwords.
You may be discouraging users from choosing inventive passwords by putting
arbitrary barriers in their paths. Grampp&Morris describe a successful
attack on systems using the above algorithm: passwords consisting of the
20 most common female first names, followed by a single digit, let them
onto every single one of the several dozen machines they surveyed.

(Incidentally, Unix truncates passwords to 8 characters, so requiring
10 is pointless.)

The Earth is our mother.	|    Henry Spencer at U	of Toronto Zoology
Our nine months	are up.		|uunet!attcan!utzoo!henry

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT