a thought about UNIX login security
satz%sri-tsc at sri-unix.UUCP
satz%sri-tsc at sri-unix.UUCP
Sat Jun 18 00:45:00 AEST 1983
We have a similar program that beats up the passwd file looking for
"easy" passwords. But instead of attacking the problem from a
defensive standpoint, we took an offensive one. We modified the passwd
program to do some more checking before allowing users to set there
passwords. If we get a hit, we don't let the user use that particular
password and ask for another one:
1) check his username forwards and backwards
2) check his personel name forwards and backwards, first and last
3) a list of common phrases (and nonwords) forwards and backwards
4) the entire dictionary forwards and backwards
Believe it or not, it doesn't take more then 2-3 minutes to change your
password (on an 11/44) since it uses clear text in its testing. This
is pretty paraniod, I realize, but it is effective. It can be rather
frustrating to choose a new password, however.
The only real "hole" left in passwd is that we will still allow
small passwords to persistant users.
More information about the Comp.unix.wizards
mailing list