From owner-freebsd-hackers Wed Jan 19 15: 4: 0 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from pau-amma.whistle.com (pau-amma.whistle.com [207.76.205.64]) by hub.freebsd.org (Postfix) with ESMTP id ECCE5150B3 for ; Wed, 19 Jan 2000 15:03:45 -0800 (PST) (envelope-from dhw@whistle.com) Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.2/8.9.2) id PAA83306; Wed, 19 Jan 2000 15:03:38 -0800 (PST) Date: Wed, 19 Jan 2000 15:03:38 -0800 (PST) From: David Wolfskill Message-Id: <200001192303.PAA83306@pau-amma.whistle.com> To: hackers@FreeBSD.ORG, scott@mail.medsp.com Subject: Re: reuse of old passwords In-Reply-To: <20000119144254.A86549@www.medsp.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Date: Wed, 19 Jan 2000 14:42:54 -0800 >From: Scott Gasch >So my questions are: what is the thinking behind allowing a user to >reuse the same password again? If this is the policy, what is the >sense of forcing a password change? What are your concerns with a >policy that would not allow old password reuse? One of my main reasons for believing that retaining a password history is a Bad Thing is that if, somehow, a Bad Guy (tm) were to acquire a copy of the password history (say, from a backup tape), that would permit the BG to perform brute force attacks against those encrypted passwords at his leisure. Given sufficient time, the Bad Guy will be able to crack those passwords. (Most of my biases in this respect were formed in an environment where passwords were fairly limited -- DES-encrypted, no more than 8 characters. Some of this may be less of an issue under other conditions... but I'm not qualified to judge that, and I choose to err on the side of caution/paranoia.) Given the cracked list of passwords, especially if the BG can know the order in which they were selected, I would expect that if the person whose passwords were cracked uses some sort of pattern in choosing the passwords -- which I would expect would be quite common -- the BG is more likely to be able to discern a likely pattern, thus reducing the universe of likely current passwords... in some cases, dramatically. Since I'm writing anyway, I'll go a little further, and state that it is my (personal! -- I'm *not* speaking/writing on behalf of any corporate entity) belief that: * In general, things that reduce the scope of a brute-force search are bad. * Authentication mechanisms are provided as a *convenience* for users. (I realize that some -- many, even -- folks would consider this to be such a stretch that they would be unable to suspend disbelief enough to give it serious thought. But try to bear with me....) * A person is responsible for what is done by processes that are run with an effective UID that has been assigned to that person. No excuses (well, absent OS malfunction or something perpetrated by someone with root access). * If someone actually *wants* to let other folks run random processes on his behalf, far be it from me to tell him "No." But if one of those does something inappropriate, I would hold the assigned person responsible, regardless. * So from that (probably warped) perspective, authentication mechanisms provide a way to help keep folks honest about who is doing what. Expecting a whole lot more of them is not an exercise I'd care to join. (I'm told, upon occasion, that I have a rich fantasy life.) Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message