>Date: Wed, 19 Jan 2000 14:42:54 -0800
>From: Scott Gasch <[EMAIL PROTECTED]>
>So my questions are: what is the thinking behind allowing a user to
>reuse the same password again? If this is the policy, what is the
>sense of forcing a password change? What are your concerns with a
>policy that would not allow old password reuse?
One of my main reasons for believing that retaining a password history
is a Bad Thing is that if, somehow, a Bad Guy (tm) were to acquire a
copy of the password history (say, from a backup tape), that would
permit the BG to perform brute force attacks against those encrypted
passwords at his leisure.
Given sufficient time, the Bad Guy will be able to crack those
passwords. (Most of my biases in this respect were formed in an
environment where passwords were fairly limited -- DES-encrypted, no
more than 8 characters. Some of this may be less of an issue under
other conditions... but I'm not qualified to judge that, and I choose to
err on the side of caution/paranoia.)
Given the cracked list of passwords, especially if the BG can know the
order in which they were selected, I would expect that if the person
whose passwords were cracked uses some sort of pattern in choosing the
passwords -- which I would expect would be quite common -- the BG is
more likely to be able to discern a likely pattern, thus reducing the
universe of likely current passwords... in some cases, dramatically.
Since I'm writing anyway, I'll go a little further, and state that it is
my (personal! -- I'm *not* speaking/writing on behalf of any corporate
entity) belief that:
* In general, things that reduce the scope of a brute-force search are
bad.
* Authentication mechanisms are provided as a *convenience* for users.
(I realize that some -- many, even -- folks would consider this to be
such a stretch that they would be unable to suspend disbelief enough
to give it serious thought. But try to bear with me....)
* A person is responsible for what is done by processes that are run
with an effective UID that has been assigned to that person. No
excuses (well, absent OS malfunction or something perpetrated by
someone with root access).
* If someone actually *wants* to let other folks run random processes
on his behalf, far be it from me to tell him "No." But if one of
those does something inappropriate, I would hold the assigned person
responsible, regardless.
* So from that (probably warped) perspective, authentication mechanisms
provide a way to help keep folks honest about who is doing what.
Expecting a whole lot more of them is not an exercise I'd care to
join.
(I'm told, upon occasion, that I have a rich fantasy life.)
Cheers,
david
--
David Wolfskill [EMAIL PROTECTED] UNIX System Administrator
voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
