reply
"Ken Leonard" <kleonard%vhslan@gvlv2.GVL.Unisys.COM> Thu, 05 April 1990 14:18 UTC
Received: from gvlv2.GVL.Unisys.COM by cert.sei.cmu.edu (5.61/2.2) id AA00855; Thu, 5 Apr 90 10:18:42 -0400
Received: by gvlv2.GVL.Unisys.COM (5.61/mls/3.1) id AA00871; Thu, 5 Apr 90 10:18:36 -0400
Received: by vhslan (UUPC/pcmail 1.095b) with UUCP; Thu, 05 Apr 90 09:21:19 EST
Date: Thu, 05 Apr 1990 09:21:19 -0500
From: Ken Leonard <kleonard%vhslan@gvlv2.GVL.Unisys.COM>
Message-Id: <261b545f.vhslan@vhslan>
X-Mailer: Mush 6.5.6 (PC R6.3 22-Sep-89)
To: ssphwg@cert.sei.cmu.edu
Subject: reply
> Art, wrote: > > > >... > > "obvious" choices (these choices are not suitable for discussion in > > this public medium!!) and checks them against the password files. If > >... > > How do we tell the system managers how to check for obvious > > passwords without giving the same advice to malfeasors? Hiding a > >... > Oh, BALONEY! The "usual" folds, reversals, permu-mungations of > userids, syswords, dictonarywords -to- passwords are well and widely > known. > "Crackers" have usually lots of cpucycles, clocktime or other resources > to spend rather freely in trying to match a password--they have little > concern with efficiency of the programs and inner-algorithms they use, > so they go ahead and do their thing, and we (sysowners, sysusers) end > up suffering. > "Legitimate" "anti-crackers have to be concerned about peopletime, > systime, clocktime, cpucycles and goodness know what other resources > we have or don't-have available to spend on protective measures. > Distributing effective algorithms for generating/checking safe > passwords is what _we_ need. > "So what," if a cracker gets ahold of a more efficient algorithm? > He or she may or may not use it, but _will_ continue the attack > anyhow. We "goodguys" _need_ efficient algorithms and, without them, > _may_not_be_able_ to do _any_ protection (almost.) > "IMHO," playing cutesy-cozy with efficient safety mechanisms is > _really_ _anti_social_. > ------------------- > #SET flame=off > ----- > regardz, > Ken -- Ken Leonard I'm too old to know better.
- reply Ken Leonard