Path: utzoo!utgpu!watmath!clyde!ima!think!barmar From: barmar@think.COM (Barry Margolin) Newsgroups: comp.unix.wizards Subject: Re: Here's a *BRILLIANT* password idea! (Sarcasm on) Message-ID: <32305@think.UUCP> Date: 29 Nov 88 23:02:09 GMT References: <438@amanue.UUCP> <10900@ulysses.homer.nj.att.com> Sender: news@think.UUCP Reply-To: barmar@kulla.think.com.UUCP (Barry Margolin) Organization: Thinking Machines Corporation, Cambridge MA, USA Lines: 35 In article <10900@ulysses.homer.nj.att.com> ekrell@hector.UUCP (Eduardo Krell) writes: >In article <438@amanue.UUCP> jr@amanue.UUCP (Jim Rosenberg) writes: [ATM passwords are 4 digits] >I don't know about your bank, but mine will take away your card if you >enter the wrong PIN something like 3 or 5 times in a row (the ATM will >eat the card). Even without this, there are other safeguards. First and foremost, the perpetrator needs your card. Of course, if he has your card he doesn't really need to guess your password, since it is encoded on the card, so if he knows what he is doing he can simply change it. If he doesn't have your card, but has instead manufactured a forged card, he doesn't need your password since he can put whatever password he wants on it. I may be wrong about the password being on the card. In that case, there is still another piece of security: the only interface an outsider has is the ATM. In the case of Unix, if someone can read the encrypted passwords he can run a program to try lots of passwords very quickly. With an ATM you can't download the encrypted passwords, so you would have to stand there typing in passwords. If you could enter a password every second it could take three hours to find a password. If the ATM spits out the card after a couple of bad passwords (as I think mine does) this could slow you down by an order of magnitude. When there isn't a means for trying passwords at high speed, as there is in Unix (without shadow password files), it isn't as important to make the password namespace really large. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar