Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!mit-eddi!mit-vax!eagle!harpo!seismo!hao!hplabs!sri-unix!edhall@rand-unix From: edhall%rand-unix@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: a thought about UNIX login security Message-ID: <2284@sri-arpa.UUCP> Date: Fri, 17-Jun-83 19:59:00 EDT Article-I.D.: sri-arpa.2284 Posted: Fri Jun 17 19:59:00 1983 Date-Received: Sun, 19-Jun-83 17:29:13 EDT Lines: 29 As the former system manager of a campus UNIX system, I am well aware of many of UNIX's security holes. Students (and sometimes others) seem to have a knack for discovering these, and often exploit them when they do. Some of these people of dubious morals read UNIX-WIZARDS. They might see a paper copy of it circulated around the computer center, or even have a legitimate entry on the mailing list. I'm certain that at a half-dozen places across the country someone is now creating a program to search the UNIX word list for a password. Maybe they'll get caught, or their program will be killed when its discovered using up so much CPU. But a weekend would be all it takes, and perhaps on a `borrowed' account. I hope the message is clear. As much as I'd like to be able to discuss security issues on UNIX-WIZARDS, I'm afraid doing so can do as much harm as good. But everyone who reads UNIX-WIZARDS knows better than to use a trivial password, right? Especially system administrators... Let's hope that chance that everyone has realized that an 8-letter password can easily be less secure than 3 random characters. Excuse the flame; there have been several chances for me to comment on this in the past. Some recent sad events on my `old' system inspired me to write now. -Ed