Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!gwyn@brl-vld
From: gwyn%brl-vld@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Re:  a thought about UNIX login security
Message-ID: <2331@sri-arpa.UUCP>
Date: Sat, 18-Jun-83 13:20:09 EDT
Article-I.D.: sri-arpa.2331
Posted: Sat Jun 18 13:20:09 1983
Date-Received: Wed, 22-Jun-83 07:44:05 EDT
Lines: 22

From:      Doug Gwyn (VLD/VMB) 

The "passwd" program simply ought to refuse to let one choose a
password that is in the on-line word list (or spelled backward,
etc.), or one that is too short, or in the list of login names,
etc.

The "salt" characters help somewhat, and the time it takes to encrypt
a password is comfortably large.

On BRL UNIX, the encrypted passwords are stored in a protected
file to force all accesses to go through trusted system code.
Three invalid login attempts and you're disconnected.

By a combination of tricks like the above, it should be quite
hard to break into a system.

If guest accounts (anonymous logins etc.) set up a "restricted"
environment then such accounts should pose little danger since
the passwords for other accounts would be inaccessible.
Unfortunately Berkeley has stolen the name "rsh" to mean something
other than the "restricted shell" but that is easy to work around.