Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!gwyn@brl-vld From: gwyn%brl-vld@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: a thought about UNIX login security Message-ID: <2331@sri-arpa.UUCP> Date: Sat, 18-Jun-83 13:20:09 EDT Article-I.D.: sri-arpa.2331 Posted: Sat Jun 18 13:20:09 1983 Date-Received: Wed, 22-Jun-83 07:44:05 EDT Lines: 22 From: Doug Gwyn (VLD/VMB)The "passwd" program simply ought to refuse to let one choose a password that is in the on-line word list (or spelled backward, etc.), or one that is too short, or in the list of login names, etc. The "salt" characters help somewhat, and the time it takes to encrypt a password is comfortably large. On BRL UNIX, the encrypted passwords are stored in a protected file to force all accesses to go through trusted system code. Three invalid login attempts and you're disconnected. By a combination of tricks like the above, it should be quite hard to break into a system. If guest accounts (anonymous logins etc.) set up a "restricted" environment then such accounts should pose little danger since the passwords for other accounts would be inaccessible. Unfortunately Berkeley has stolen the name "rsh" to mean something other than the "restricted shell" but that is easy to work around.