Password security
Wayne Mesard
mesard at bbn.com
Tue Nov 22 08:17:49 AEST 1988
>From article <4449 at sneaky.TANDY.COM>, by gordon at sneaky.TANDY.COM (Gordon Burditt):
> Assuming for the moment that DES is kept, security would be increased if more
> of the 2**56 bit combinations were generated by "obvious" passwords that users
> can easily remember. So, I propose the following change to the password
> algorithm.
[...]
> - Change the length of the password to 28 characters minimum, 512 characters
> maximum.
Whether or not your proposal makes technical sense, you have forgotten
an important element of this equation: human nature. Yes, the very same
thing that you're trying to circumvent by coercing people into using an
absurdly combersome mechanism. What would happen if this procedure were
enacted? I'll tell you:
o More people would stay logged in overnight and when they go to lunch,
becuase it's become such a pain to login again.
o More people would write their passwords on slips of paper taped to
their desk because it's become such a pain to remember.
o More people would choose easy passwords (e.g. 28 "a"s, or the
alphabet plus their initials) to try to make memorization easier.
o More people would use the same password for the various machines on
which they have accounts.
The people who are security conscious, will select non-obvious
passwords, just like they always have, but if you want to have an impact
on the rest of us, coersion is not the way. Your efforts will be best
spent in making sure that those who most need to be "security literate,"
are. This includes sys-admins (I could list some root passwords that
would make an NSC staffer pull his hair out), and those working on
proprietary information (corporate or national).
>
> Gordon L. Burditt
> ...!texbell!sneaky!gordon
--
unsigned *Wayne_Mesard(); "He sounds like a really weird guy. What's
MESARD at BBN.COM he doing for Thanksgiving?"
BBN, Cambridge, MA -DB.
More information about the Comp.unix.wizards
mailing list