Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Crack'ified npasswd
From: "Paul Pomes" <paul @ uxc . cso . uiuc . edu>
Date: Sat, 12 Feb 1994 18:05:47 -0600
To: Firewalls @ greatcircle . com
In-reply-to: Your message of Sat, 12 Feb 1994 01:00:12 PST. <9402120900 . AA22589 @ mycroft . GreatCircle . COM>

If my experience with folding CrackLib-2.5 into the CSO Nameserver package
is any guide, adding the Crack rules makes a password checker too strict with
insufficient feedback to the user.  Passwords that were the first letter of
words in a random phrase would be rejected as being derived from a dictionary
word.  Which word?  What derivative operation?  Unless the user has a clue
as to why a nonsense password is rejected, they can't be expected to choose
"better" ones.

My chief objection to CrackLib was that the rules were not spelled out in
a easily understood manner.  To make such a proactive password checker
acceptable, the rules must be configurable.  Rules that catch 90% of the
passwords (or 98%, 99%, 99.985%, etc) are what's needed.  If I know that
the last 1% of the passwords require an additional 50 CPU hours to find,
then 99% is fine with me.

For me npasswd is part of an indepth defense.  First someone has to get
a copy of my shadow password files before they can run crack.  Ideally
what npasswd does for me is eliminate easily guessed passwords.  For that
the 90% level is fine and eliminates most user resistance.

/pbp


Follow-Ups:
Indexed By Date Previous: Re: Can you print from a chroot'd process?
From: papowell%dickory @ sdsu . edu (Patrick Powell)
Next: Re: Can you print from a chroot'd process?
From: Icarus Sparry <I . Sparry @ ss1 . bath . ac . uk>
Indexed By Thread Previous: Crack'ified npasswd
From: Brad Huntting <huntting @ advtech . uswest . com>
Next: Re: Crack'ified npasswd
From: Brad Huntting <huntting @ advtech . uswest . com>

Google
 
Search Internet Search www.greatcircle.com