Re: Password checking

["Ken Leonard" <kleonard%vhslan@gvlv2.GVL.Unisys.COM>]

Art, you wrote:
>
>...
> "obvious" choices (these choices are not suitable for discussion in
> this public medium!!) and checks them against the password files.  If
>...
>     How do we tell the system managers how to check for obvious
> passwords without giving the same advice to malfeasors?  Hiding a
>...
Oh, BALONEY!  The "usual" folds, reversals, permu-mungations of
userids, syswords, dictonarywords -to- passwords are well and widely
known.
"Crackers" have usually lots of cpucycles, clocktime or other resources
to spend rather freely in trying to match a password--they have little
concern with efficiency of the programs and inner-algorithms they use,
so they go ahead and do their thing, and we (sysowners, sysusers) end
up suffering.
"Legitimate" "anti-crackers have to be concerned about peopletime,
systime, clocktime, cpucycles and goodness know what other resources
we have or don't-have available to spend on protective measures.
Distributing effective algorithms for generating/checking safe
passwords is what _we_ need.
"So what," if a cracker gets ahold of a more efficient algorithm?
He or she may or may not use it, but _will_ continue the attack
anyhow.  We "goodguys" _need_ efficient algorithms and, without them,
_may_not_be_able_ to do _any_ protection (almost.)
"IMHO," playing cutesy-cozy with efficient safety mechanisms is
_really_ _anti_social_.
-------------------
#SET flame=off
-----
regardz,
Ken

-- 
Ken Leonard
I'm too old to know better.