Re: Password checking

Philippe Prindeville <philipp@Gipsi.Gipsi.Fr> Fri, 06 April 1990 13:07 UTC

Received: from inria.inria.fr by cert.sei.cmu.edu (5.61/2.2) id AA05138; Fri, 6 Apr 90 09:07:12 -0400
Received: from Gipsi.Gipsi.FR by inria.inria.fr (5.61+/89.0.8) via Fnet-EUnet id AA24976; Fri, 6 Apr 90 15:06:54 +0200 (MET)
Received: by Gipsi.Gipsi.Fr (4.12/4.8) id AA29963; Fri, 6 Apr 90 15:08:15 -0100 (MET)
Date: Fri, 6 Apr 90 15:08:15 -0100
From: Philippe Prindeville <philipp@Gipsi.Gipsi.Fr>
Message-Id: <9004061408.AA29963@Gipsi.Gipsi.Fr>
X-Phone: +33 1 30 60 75 25 / +33 1 47 34 42 74
To: art@dinorah.wustl.edu
Subject: Re: Password checking
Cc: ssphwg@cert.sei.cmu.edu

First, I wouldn't leave cleartext passwords on any sort of storage
device (including mailboxes) -- much safer to log them to a "secure"
console.  Second, the obvious time to screen a password is when it
is set, not periodically.  This way you reduce the window of
opportunity to zero.

-Philip