Xref: utzoo comp.unix.wizards:13315 comp.sources.wanted:5766
Path: utzoo!utgpu!watmath!clyde!bellcore!rutgers!deimos!uxc!uwmcsd1!marque!uunet!munnari!otc!metro!ipso!stcns3!stca77!peter
From: peter@stca77.stc.oz (Peter Jeremy)
Newsgroups: comp.unix.wizards,comp.sources.wanted
Subject: System Security
Message-ID: <375@stca77.stc.oz>
Date: 7 Dec 88 20:29:49 GMT
Reply-To: peter@stca77.stc.oz (Peter Jeremy)
Organization: Alcatel-STC, Alexandria, AUSTRALIA
Lines: 23

In the wake of thr RTM worm, there has been much discussion on system
security in various newsgroups.  One item that caught my eye (sorry,
I can't remember the reference) suggested running a daemon that checked
for trivial passwords, and mailing the user and sysadm when one was found.

This sounded like a good idea, until I thought it through.  The core of
such a daemon is a password _cracker_.  Whilst the daemon itself should
be innocuous (subject to bugs :-), the source would make an excellent
basis for a worm.

Question for all you wizards out there:  Is such a program "legitimate"?
What should I do with the source (and presumably the executable) to prevent
misuse?  Or is such a program such a trivial exercise that it is not
worth protecting?

The other logical approach is an improved PASSWD(1) program that prevents
users using trivial passwords.  Does anyone have such a beast?  What is
a good (quick*) way of deciding whether a password is trivial?
-- 
Peter Jeremy (VK2PJ)         peter@stca77.stc.oz
Alcatel-STC Australia        ...!uunet!stca77.stc.oz!peter
41 Mandible St               peter%stca77.stc.oz@uunet.UU.NET
ALEXANDRIA  NSW  2015