Re: Password checking
"Ken Leonard" <kleonard%vhslan@gvlv2.GVL.Unisys.COM> Thu, 05 April 1990 14:19 UTC
Received: from gvlv2.GVL.Unisys.COM by cert.sei.cmu.edu (5.61/2.2) id AA00857; Thu, 5 Apr 90 10:19:12 -0400
Received: by gvlv2.GVL.Unisys.COM (5.61/mls/3.1) id AA00866; Thu, 5 Apr 90 10:18:26 -0400
Received: by vhslan (UUPC/pcmail 1.095b) with UUCP; Thu, 05 Apr 90 09:18:52 EST
Date: Thu, 05 Apr 1990 09:18:52 -0500
From: Ken Leonard <kleonard%vhslan@gvlv2.GVL.Unisys.COM>
Message-Id: <261b53cc.vhslan@vhslan>
X-Mailer: Mush 6.5.6 (PC R6.3 22-Sep-89)
To: art@dinorah.wustl.edu, ssphwg@cert.sei.cmu.edu
Subject: Re: Password checking
Cc: kleonard@gvlv2.GVL.Unisys.COM
Art, you wrote: > >... > "obvious" choices (these choices are not suitable for discussion in > this public medium!!) and checks them against the password files. If >... > How do we tell the system managers how to check for obvious > passwords without giving the same advice to malfeasors? Hiding a >... Oh, BALONEY! The "usual" folds, reversals, permu-mungations of userids, syswords, dictonarywords -to- passwords are well and widely known. "Crackers" have usually lots of cpucycles, clocktime or other resources to spend rather freely in trying to match a password--they have little concern with efficiency of the programs and inner-algorithms they use, so they go ahead and do their thing, and we (sysowners, sysusers) end up suffering. "Legitimate" "anti-crackers have to be concerned about peopletime, systime, clocktime, cpucycles and goodness know what other resources we have or don't-have available to spend on protective measures. Distributing effective algorithms for generating/checking safe passwords is what _we_ need. "So what," if a cracker gets ahold of a more efficient algorithm? He or she may or may not use it, but _will_ continue the attack anyhow. We "goodguys" _need_ efficient algorithms and, without them, _may_not_be_able_ to do _any_ protection (almost.) "IMHO," playing cutesy-cozy with efficient safety mechanisms is _really_ _anti_social_. ------------------- #SET flame=off ----- regardz, Ken -- Ken Leonard I'm too old to know better.
- Password checking art
- Re: Password checking Paul Pomes, UofIllinois
- Re: Password checking Fuat C. Baran
- Re: Password checking Ken Leonard
- Re: Password checking Philippe Prindeville