Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!hc!lanl!cmcl2!brl-adm!adm!PAAAAAR%CALSTATE.BITNET@cunyvm.cuny.edu From: PAAAAAR%CALSTATE.BITNET@cunyvm.cuny.edu Newsgroups: comp.unix.questions Subject: RE: good passwords Message-ID: <16473@brl-adm.ARPA> Date: 13 Jul 88 12:54:56 GMT Sender: news@brl-adm.ARPA Lines: 71 Received: by CALSTATE via BITNet for PAAAAAR@CALSTATE (CSUMailer (1.2)); Sat, 9 Jul 88 10:30:21 PDT Received: by BYUADMIN (Mailer X1.25) id 8879; Sat, 09 Jul 88 11:28:12 MDT Date: Fri, 8 Jul 88 14:51:35 EDT Reply-To: INFO-UNIX@BRL.ARPA Sender: I-UNIX@TCSVM From: roberts@CMR.ICST.NBS.GOV Subject: good passwords Comments: To: info-unix@BRL.ARPA To: PAAAAAR@CCS.CSUSCC.CALSTATE.EDU Careful analysis shows that the best possible password is "k75LL43j". If you want to have the greatest available security, you should change your password to this value right away.John Roberts roberts@cmr.icst.nbs.gov ===== Reply from Richard Botting =========================== You can increase the security of passwords fairly simply by expanding the character set involved. A randomly placed '@' or '.' is a way to stop anyone trying to crack your account - who has never used a system with non-alpha-numeric passwords. Which Unix flavours (if any) permit control codes in passwords? If you can the occasional CTRL/H may foil many 'amateur' attempts. It is importatn for these strategies not be known - so why am I posting them! Well if averybody starts including a strange character, then I can make my accounts safe by not having one... Another way to improve security is to use a dictionary, opened at random to select two shortish words as your new passwd. To protect novice students you can include 'passwd' in their .profile/.login files in their home directories. This means that they have to think about not changing it until they learn hoe to edit their .profile/.login files... It is not difficult by the way to hack the source code for login.c so that (1) only N attempts can be made (N close to 3 is good) (2) attemots that fail are printed on the console (paper is not erasable) (3) The N+1 th attempt logs in the person into as a 'guest' on out system the shell for guests (bona fide and accidental) is a hyper simple BBS with the abillity to send and read mail. (use ful for people who forget their password). I did thses things and have had the system running 24 hours a day with phone number published nationally and locally - with nobody yet managing to crack the system. Here is a final experimental idea. Replace pass *words* by pass *phrases*. In other words the user remembers 'Shall I compare the to a summers day' and types SIcttasd. THis looked good until I read one of St. Isaak Asimov mystery tales that has this type of password figured out by a waiter. Any other ideas???? Dick Botting PAAAAAR@CCS.CSUSCC.CALSTATE(doc-dick) paaaaar@calstate.bitnet PAAAAAR%CALSTATE.BITNET@{depends on the phase of the moon}.EDU Dept Comp Sci., CSUSB, 5500 State Univ Pkway, San Bernardino CA 92407 Disclaimer: What with my brain, my fingers, this Mac, the PDP, the CSU CYBERS Transmission errors, your machine, terminal eyes and brain.. I probably didn't think what you thought you just read any way!