Checksum: 50774
Lines: 53
Path: utzoo!sq!msb
From: msb@sq.uucp (Mark Brader)
Date: Tue, 15-Nov-88 20:52:58 EST
Message-ID: <1988Nov15.205258.12029@sq.uucp>
Newsgroups: news.sysadmin
Subject: Re: Password support
References: <931@sword.bellcore.com>
Reply-To: msb@sq.com (Mark Brader)
Organization: SoftQuad Inc., Toronto

Eleazor bar Shimon (yba@sabre.bellcore.com) repeats an often-made suggestion:
> 	- modify /bin/passwd (on your central server if you distribute the
> 	  passwd file) to require that all passwords are at least 7 characters
> 	  in length, have at least one upper-case and one lower-case letter,
> 	  and one non-alphabetic character.

And I will repeat my standard response to it:

Passwords meeting the above specifications, while more secure against
electronic forms of cracking, are LESS secure against casual observation
of the typing fingers!  This is particularly an issue if they are to be
used by occasional typists and in an environment where physical security
is minimal -- a common enough situation.

Nobody would do that?  I did!  I once learned a root password by that method.
(It was only 5 characters.)

If you're going to modify the system's password code, I think the first
thing you should do is remove the standard UNIX limit of 8 significant
characters on a password.  (If you didn't think there was such a limit,
try it!  I believe that only the first 8 characters are significant on
*all* common UNIX systems.  The reason is the DES key length, though the
password encryption is not pure DES.)

Here is an easy way to raise this limit to 16 characters:

	#define MAXPWD 8
	register char *pwd;	/* pointer to password as typed */

		....

	char pw1[MAXPWD+1], pw2[MAXPWD+1];	/* result */
	register char *p = pw1, *q = pw2;

	while (p < &pw1[MAXPWD+1]) {
		*p++ = *pwd;	if (*pwd) pwd++;
		*q++ = *pwd;	if (*pwd) pwd++;
	}
	*p = *q = '\0';

This splits the given password into 2 virtual passwords of up to 8 characters
each.  Encrypt them separately by the present method, each with its own salt,
and concatenate the results to form the character string to place in the
password file.  The inverse process, for login and the like, should be obvious.

Now require that all passwords be at least *12* characters, preferably 16,
and not obvious from dictionary search, keyboard patterns, and so on.
I think that with 16 characters all-lower-case-letters is quite sufficient if
one wants to use it, and desirable if there is any chance of being watched.

Mark Brader			"Alas, there is NO SUCH THING as
SoftQuad Inc., Toronto		'NO SUCH THING as privileged access.'"
utzoo!sq!msb, msb@sq.com			-- Alan Silverstein
