1995-07-21 - Re: big word listing

Header Data

From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
To: gorkab@sanchez.com
Message Hash: 1b75494f58a12b6ab0f39376c9c0629c443711708ccf9e5728f726b69830622b
Message ID: <doug-9506212002.AA001121984@netman.eng.auburn.edu>
Reply To: <00993AF518E527C0.00011F64@sanchez.com>
UTC Datetime: 1995-07-21 20:02:32 UTC
Raw Date: Fri, 21 Jul 95 13:02:32 PDT

Raw message

From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Date: Fri, 21 Jul 95 13:02:32 PDT
To: gorkab@sanchez.com
Subject: Re: big word listing
In-Reply-To: <00993AF518E527C0.00011F64@sanchez.com>
Message-ID: <doug-9506212002.AA001121984@netman.eng.auburn.edu>
MIME-Version: 1.0
Content-Type: text/plain




>As a security measure, I am trying to get a massive dictionary of words
>together, and each time a user changes his/her password, it checks the list to
>see if the password is in it.  My question is, are there any pre-built lists of
>this nature?  I am currently only using a spelling dictoinary, and would like
>somthing a little bigger.
>
>
>
You're re-inventing the wheel. look for npasswd or passwd+. Both do things
like that. Or, better yet, don't use dictionaries at all (they're out of date
as soon as they're made available). Use rules that force your users to
choose good passwords (just don't be too Draconian. ;).  We have a rule
that says a user must choose at least one upper case character, one lower
case character, and one number, symbol, or control character in his/her
password. It's met little resistance, a few complaints, and it's immune
to most dictionary password schemes. The only other restriction is that
they must have at least 6 characters in their passwords. That was already
"mostly" enforced, so there was no problem there. 
 This prevents people from picking passwords like the name of a significant
other, the name of a place, or some foreign language word that normal
dictionaries wouldn't necessarily catch, but some password cracking program
"might" (depending on who has the more recent dictionary).

 This really is more along the charter of comp.unix.security though, and
not cypherpunks (IMHO).

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			doug@eng.auburn.edu
		"Real programmers use cat > file.as"





Thread