Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!adm!bzs@bu-cs.bu.EDU From: bzs@bu-cs.bu.EDU (Barry Shein) Newsgroups: comp.unix.wizards Subject: 60-second timeout in Unix login Message-ID: <10578@brl-adm.ARPA> Date: Sun, 29-Nov-87 18:06:08 EST Article-I.D.: brl-adm.10578 Posted: Sun Nov 29 18:06:08 1987 Date-Received: Wed, 2-Dec-87 20:49:39 EST Sender: news@brl-adm.ARPA Lines: 57 >When you successfully logged in, it gave you a report. If you saw too >many of these things, it might be a wise idea to change your password. > >This is not a new idea of mine, I stole it from VMS ... > >- John. And it's certainly not a new idea with VMS... Is there really any good basis for changing one's password in the face of repeated failed attempts to login by a cracker? This assumes of course that the cracker has not been successful and the password you are using is not obvious (so the change is not simply justified by increasing the security level of the password choice itself.) Given that, aren't you as likely as not to change your passwd to the crackers *next* guess? Even password aging, which seems to be based upon similar logic (?) I assume relies on the assumption that the would be cracker is "closing in" so changing it throws him/her off course. I thought we all rely on the massive combinatorics (assuming good passwd choice) involved? Changing the passwd doesn't change that. I could definitely see changing your login name. If the cracker moves to that new login name (new failed login attempt messages) you know s/he is specifically after you and not just a random hit. What you do next is not obvious, but that's off the topic. Alternately it might just force the cracker to continue to try the old acct and waste his or her time (assuming you've rendered the old account name inert.) I never saw any logic to the reply "change your password" when someone notices repeated failed attempts (we can monitor this on our systems also.) Changing your account name is not of much use if the person is the slightest bit interested in you unless you don't run finger or leave clues in outgoing mail and news postings (fat chance) etc, internal people can obviously just grep passwd, it's not much of a response but might give a hint that it's worth worrying about if the cracker does follow you to your new account name. The only possible reasons I can see are: 1. You had a bad passwd to begin with so this is a good time to change to a good one (maybe that's what sysadmins hope for.) 2. You think the cracker has cracked your passwd but for some reason you cannot detect this (eg. by viewing lastlog.) Changing the passwd would at least block this possibility (that they've already got you.) 3. You fear that somehow the cracker is persisting because they have part of your password and just need a few more tries to break it (possible, unlikely, no feedback, unless they got it from some other method, like looking over your shoulder while you typed it in.) -Barry Shein, Boston University