password aging (from worm discussion)

Tue Nov 29 01:25:06 AEST 1988

? Although I support the other proposals I will argue that shadow
? password files are a bad idea (actually, I'm not too enamored with
? password aging, others have argued against this questionable idea.)

I agree with the latter, but not the former. I happen to believe that
one should only choose *one* password *in their entire lifetime* and
stick with it until one has reason to believe it has been compromised.

The point being, that if you choose a different password, that you
are providing multiple targets for the brute force approach.

? It means that if, for any reason, you believe your password file has
? been let out you will have to admit that your security is compromised
? and, for starters, have everyone change their password (then spend
? your time "improving" the file's security etc.) You better also
? develop effective means of detecting whether anyone has read your
? password file or printed it out and not disposed of it properly.

Well, ain't it the (partial) truth? You seem to be saying that by
ignoring the problem that no lapse of security exists.

? You're turning the file into pure gold.

No, you're just moving the gold to a different place. And I see no reason
why the shadow file has to become readable even by wizards. In spite of
the recent holes exposed, and the possible ones that still exist, I
believe that UNIX is intrinsically secure, or secure enuf. 

? I still am confident that with methods like password changing programs
? which try to prod the user to choose a reasonable password AND
? education of users (perhaps backed with some internal enforcement,
? such as removing accounts that insist on trivial passwords, whatever
? your organization needs) the current publicly readable file affords
? MORE security than a shadow file.

I think that both are necessary.

? I sincerely hope that the community consider this matter before it
? becomes some sort of standard. I believe it compromises security by
? creating more problems than it solves, complicates security
? administration by requiring strict controls on who can access the file
? and creates new security crises when the file is believed to have been
? read by someone unauthorized.

One other unmentioned benefit of shadow files: they allow you to
rdist your password file across systems.

? I fear that everyone is currently running willy-nilly trying to find
? *something* to do in response to this worm, let's not, in the heat of
? the moment, commit to something that actually makes matters worse.

Good advice. True security is often elusive, and the obvious things
to do are often wrong.

? 	-Barry Shein, ||Encore||

	(Root Boy) Jim Cottrell	(301) 975-5688
	<rbj at nav.icst.nbs.gov> or <rbj at icst-cmr.arpa>
	Crackers and Worms -- Breakfast of Champions!