[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: A UNIX crypt(3) replacement



> This is backwards logic; when security begins to hender in the
> functionality of the system, the security needs to be gotten rid of.
hmmm... Now that _completely_ depends on the system.  Now for the system
I administer, the level of security really isn't _that_ high (on the
grand scale of things).  It is, however, high enough that I inconvenience
the users with a pro-active password guesser, and passwords that expire
occasionally.  I suppose that this is a _minor_ inconvenience, but it
raises the level of security a very large amount.  On a less mundane
system (one run by the government, say), security is only _slightly_
less important than being able to use the system in the first place. :)
On this type of system almost any inconvenience is worth the cost.

> > You have previously said that the passwd file should not be available 
> > for public consumption.  Though this is certainly true, it does not
> > hurt that even if the passwd file is available, nothing particularly 
> > useful can be done with it.
> Hince you use pseudorandom password generators and crack.  If you count on
> somebody not being able to preform an opperation quickly, they'll usually
> prove you wrong.

whoa... didn't you just say:
> when security begins to hender in the
> functionality of the system, the security needs to be gotten rid of.
I think that psedu-random password generators would almost certainly
"hinder in the functionality of the system"...  :-)

I want to make it so that users can use passwords > 8 characters, and I 
want to use something a bit better than FreeBSD's solution.  Whether or 
not this is necessarily the One True Way (TM) to security, it will increase
security.  I'm not saying "Hey everyone.  Here is a spiffy new password
system that will make your entire system completely secure!"  I'm saying
"Could everyone please look at this algorithm that I'm thinking of using.
Could you please comment on it, so that I can make it better."  That's it.
All questions on whether or not passwords should shadowed, crackable,
not crackable, or consisting only of the letter "e", aside.  Is this
algorithm secure, and if not, why not.

				Joshua

>  --Deviant
> The Macintosh is Xerox technology at its best.
I very much like your signature... very nice... 

-----------------------------Joshua E. Hill-----------------------------
|                             Allen's Law:                             |
|           Almost anything is easier to get into than out of.         |
-------jehill@<gauss.elee|galaxy.csc|w6bhz|tuba.aix>.calpoly.edu--------