From: Dave Kinchlea <security@kinch.ark.com>
Date: Sun, 17 Nov 1996 14:52:58 -0800 (PST)
To: The Deviant <deviant@pooh-corner.com>
Subject: Re: RFC: A UNIX crypt(3) replacement
In-Reply-To: <Pine.LNX.3.94.961117222029.564A-100000@random.sp.org>
Message-ID: <Pine.LNX.3.95.961117145015.1181N-100000@kinch.ark.com>
MIME-Version: 1.0
Content-Type: text/plain


On Sun, 17 Nov 1996, The Deviant wrote:
> > 
> > Well, this certainly *IS* a different statement than I read from you
> > before. I don't find anything to disagree with here. Though, if your
> > passwords can't be cracked, what is the need for shadow passwords? It
> > simply introduces more variables and offers no more security.
> 
> While thats all well and good, its also easier said than done.  A creative
> cracker can beat a lot of password filter routines.  As somebody said to
> me earlier, belt _and_ suspenders works best. ;)

Agreed, for a large number of users (say >1,000) it is quite difficult
for one thing, running crack can be too time consuming to be feasible. 
For a small number of users (many of the LANs I administer have less
than 30 users), however, it is not at all difficult. It helps, of
course, if you can trust your local users --- possible when there are
only a few and you know them all, impossible when there are many and
they are faceless. 

The less work I have to do to keep the systems/network secure, the more
time I can make available for *real* work on those system. Few sites can
afford a full-time security person, that is the reality that I live in
anyway. 

cheers, kinch