Xref: utzoo comp.unix.wizards:13315 comp.sources.wanted:5766 Path: utzoo!utgpu!watmath!clyde!bellcore!rutgers!deimos!uxc!uwmcsd1!marque!uunet!munnari!otc!metro!ipso!stcns3!stca77!peter From: peter@stca77.stc.oz (Peter Jeremy) Newsgroups: comp.unix.wizards,comp.sources.wanted Subject: System Security Message-ID: <375@stca77.stc.oz> Date: 7 Dec 88 20:29:49 GMT Reply-To: peter@stca77.stc.oz (Peter Jeremy) Organization: Alcatel-STC, Alexandria, AUSTRALIA Lines: 23 In the wake of thr RTM worm, there has been much discussion on system security in various newsgroups. One item that caught my eye (sorry, I can't remember the reference) suggested running a daemon that checked for trivial passwords, and mailing the user and sysadm when one was found. This sounded like a good idea, until I thought it through. The core of such a daemon is a password _cracker_. Whilst the daemon itself should be innocuous (subject to bugs :-), the source would make an excellent basis for a worm. Question for all you wizards out there: Is such a program "legitimate"? What should I do with the source (and presumably the executable) to prevent misuse? Or is such a program such a trivial exercise that it is not worth protecting? The other logical approach is an improved PASSWD(1) program that prevents users using trivial passwords. Does anyone have such a beast? What is a good (quick*) way of deciding whether a password is trivial? -- Peter Jeremy (VK2PJ) peter@stca77.stc.oz Alcatel-STC Australia ...!uunet!stca77.stc.oz!peter 41 Mandible St peter%stca77.stc.oz@uunet.UU.NET ALEXANDRIA NSW 2015