Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!adm!bzs@bu-cs.bu.EDU
From: bzs@bu-cs.bu.EDU (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: 60-second timeout in Unix login
Message-ID: <10578@brl-adm.ARPA>
Date: Sun, 29-Nov-87 18:06:08 EST
Article-I.D.: brl-adm.10578
Posted: Sun Nov 29 18:06:08 1987
Date-Received: Wed, 2-Dec-87 20:49:39 EST
Sender: news@brl-adm.ARPA
Lines: 57


>When you successfully logged in, it gave you a report.  If you saw too
>many of these things, it might be a wise idea to change your password.
>
>This is not a new idea of mine, I stole it from VMS ...
>
>- John.

And it's certainly not a new idea with VMS...

Is there really any good basis for changing one's password in the face
of repeated failed attempts to login by a cracker? This assumes of
course that the cracker has not been successful and the password you
are using is not obvious (so the change is not simply justified by
increasing the security level of the password choice itself.) Given
that, aren't you as likely as not to change your passwd to the
crackers *next* guess?

Even password aging, which seems to be based upon similar logic (?) I
assume relies on the assumption that the would be cracker is "closing
in" so changing it throws him/her off course. I thought we all rely on
the massive combinatorics (assuming good passwd choice) involved?
Changing the passwd doesn't change that.

I could definitely see changing your login name. If the cracker moves
to that new login name (new failed login attempt messages) you know
s/he is specifically after you and not just a random hit. What you do
next is not obvious, but that's off the topic.  Alternately it might
just force the cracker to continue to try the old acct and waste his
or her time (assuming you've rendered the old account name inert.)

I never saw any logic to the reply "change your password" when someone
notices repeated failed attempts (we can monitor this on our systems
also.) Changing your account name is not of much use if the person is
the slightest bit interested in you unless you don't run finger or
leave clues in outgoing mail and news postings (fat chance) etc,
internal people can obviously just grep passwd, it's not much of a
response but might give a hint that it's worth worrying about if the
cracker does follow you to your new account name.

The only possible reasons I can see are:

	1. You had a bad passwd to begin with so this is a good time
	to change to a good one (maybe that's what sysadmins hope for.)

	2. You think the cracker has cracked your passwd but for some
	reason you cannot detect this (eg. by viewing lastlog.) Changing
	the passwd would at least block this possibility (that they've
	already got you.)

	3. You fear that somehow the cracker is persisting because they
	have part of your password and just need a few more tries to
	break it (possible, unlikely, no feedback, unless they got it
	from some other method, like looking over your shoulder while
	you typed it in.)

	-Barry Shein, Boston University