Path: utzoo!attcan!uunet!husc6!mailrus!ames!haven!adm!smoke!gwyn From: gwyn@smoke.BRL.MIL (Doug Gwyn ) Newsgroups: comp.unix.wizards Subject: Re: password aging Message-ID: <9001@smoke.BRL.MIL> Date: 28 Nov 88 16:51:03 GMT References: <17648@adm.BRL.MIL> Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB)) Organization: Ballistic Research Lab (BRL), APG, MD. Lines: 21 In article <17648@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: >I happen to believe that >one should only choose *one* password *in their entire lifetime* and >stick with it until one has reason to believe it has been compromised. This should be modified somewhat; so long as the same encryption scheme is being used, and the password is not thought to be vulnerable to the standard attacks, one is sufficient until it is compromised. However, it would be folly to use your well-protected UNIX password on a public BBS, for example, because very likely the password on the BBS is NOT so well protected, and once it is stolen there it could be used to enter your supposedly more secure system. I tend to use a single (different) password at each level of security, one for my accounts on public BBSes and the like, where I don't much care if it's compromised, and one for each type of protection (such as UNIX crypt()) on better-protected systems. In response to Barry's suggestion that shadow (really, non-public) password files are a panicky reaction to the Internet worm/virus: I've recommended this for years. AT&T adopted it for its MLS UNIX well before the virus scare. If done right, it adds a significant amount of security to the typical UNIX system. It's a good idea.