SCO doesn't sell UNIX
John F Haugh II
jfh at rpp386.cactus.org
Wed Dec 12 00:16:21 AEST 1990
In article <531 at camco.Celestial.COM> bill at camco.Celestial.COM (Bill Campbell) writes:
>I would love to see SCO UNIX available, not with 'relaxed' C2
>security, but with NO C2 security. Shadow passwords are probably
>a good idea, but unnecessary if you use good passwords in the
>first place (not your spouse's name, birthday...). Most security
>problems are caused by lazy, incompetent system administrators,
>not by the operating system.
Anyone how believes this has never read Appendices C and F out of
the DoD "Password Management Guidelines".
The difference between a system with shadowed passwords and
non-shadowed passwords being cracked is many orders of magnitude.
Think for a moment about a college network of say, 100 IBM S/6000's.
Using whatever benchmark results we have today, that is about 2,500
MIPS. If a system in the 3 - 5 MIPS range can produce 1,000 UNIX
style encryptions per second, we should be able to get over 500,000
encryptions per second on our little network. Now have a shadow
password system that turns your account off after 100 failures.
If you reenable the account once per day (after a long night of
hacking ;-), you get 864 seconds per encryption, or a difference
of 432,000,000 to 1. That's almost 9 orders of magnitude. Which
means that =your= password must come from a set which is almost
1,000,000,000 times larger than mine - just to be just as secure.
--
John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 Domain: jfh at rpp386.cactus.org
More information about the Comp.unix.sysv386
mailing list