Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!genrad!mit-eddi!mit-vax!eagle!harpo!seismo!hao!hplabs!sri-unix!satz@sri-tsc
From: satz%sri-tsc@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Re: a thought about UNIX login security
Message-ID: <2265@sri-arpa.UUCP>
Date: Fri, 17-Jun-83 10:45:00 EDT
Article-I.D.: sri-arpa.2265
Posted: Fri Jun 17 10:45:00 1983
Date-Received: Sun, 19-Jun-83 17:20:04 EDT
Lines: 20


We have a similar program that beats up the passwd file looking for
"easy" passwords.  But instead of attacking the problem from a
defensive standpoint, we took an offensive one.  We modified the passwd
program to do some more checking before allowing users to set there
passwords.  If we get a hit, we don't let the user use that particular
password and ask for another one:

1) check his username forwards and backwards
2) check his personel name forwards and backwards, first and last
3) a list of common phrases (and nonwords) forwards and backwards
4) the entire dictionary forwards and backwards

Believe it or not, it doesn't take more then 2-3 minutes to change your
password (on an 11/44) since it uses clear text in its testing.  This
is pretty paraniod, I realize, but it is effective.  It can be rather
frustrating to choose a new password, however.

The only real "hole" left in passwd is that we will still allow
small passwords to persistant users.