At 09:08 AM 9/1/00 -0700, James A. Donald wrote:
> --
>At 08:53 PM 8/30/00 -0700, James A. Donald wrote:
> > >While you are correct that we should use Kerberos like security
> > >servers, Kerberos itself is broken. It has been broken for some time.
> > >
> > >The problem is described in http://theory.stanford.edu/~tjw/krbpass.html,
>
>
>At 05:17 PM 8/31/2000 -0700, Jonathan Trostle wrote:
> > The first line of defense against dictionary attacks in Kerberos is
> > a reasonable password policy. The paper you cite does nothing to
> > show that a reasonable password policy is not adequate to prevent
> > these attacks - the paper demonstates attacks against a Kerberos 4
> > realm with a very weak password policy. In particular, some users
> > had passwords with 1 character, some had passwords with 2
> > characters, etc.
>
>That was not my reading of the paper.
>
>The password checker discouraged, but did not flatly prohibit weak
>passwords. The vast majority of the passwords that they cracked were
>passwords that the password checker had accepted.
A password checker is not a good way to prevent weak passwords, since it is well
established that some users will pick weak passwords if given the choice. Kerberos 5
password policy will not allow a user to pick a new password that does not conform
with the password policy. One of the parameters for a password policy is minimum
length.
Jonathan
>
> --digsig
> James A. Donald
> 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
> A0bbR6u7j50dqDEO+2Fc+OObr3x+2gH94Mde3CJQ
> 4dxmy4K5kGimwMrQ0pNJ1zC9crVXCSszvx0j4Lp4z
>
