Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!snafu!lm From: lm@snafu.Sun.COM (Larry McVoy) Newsgroups: comp.unix.wizards Subject: Re: random passwords (was Re: Worm...) Message-ID: <79354@sun.uucp> Date: 30 Nov 88 02:22:04 GMT References: <28399@tut.cis.ohio-state.edu> <278@aber-cs.UUCP> <10896@ulysses.homer.nj.att.com> <4302@encore.UUCP> Sender: news@sun.uucp Reply-To: lm@sun.UUCP (Larry McVoy) Distribution: eunet,world Organization: Sun Microsystems, Mountain View Lines: 26 Steve wrote: >>Let's look at this quantitatively. There are, more or less, 95 >>printable characters. We'll subtract 2 for @ and #, which many UNIX Barry said: [wonderful] Jeez. This sounds awful. Try this instead, you'll like it better. Add a field somewhere (/etc/failures?) that records the number of failed attempts. If it reaches some maximum, disallow logins with some message like: ("Possible security risk: %d failed attempts\n", failed) If the failed number is greater than MAXFAIL/2, then warn the user that he ought to reset his password (to anything, including what it was). Resetting would clear the failed field. Now that I think about it, you could print out the number of failed attempts to date at login time. Users would know right away if someone had been beating on their account. Wouldn't this be a much easier and more palatable way to solve the problem? Larry McVoy (lm%snafu@sun.com)