We ask that letters with code listings be submitted
an ASCII text file on an MS-DOS formatted disk or via
email. Our net
firstname.lastname@example.org ("...!uunet! rdpub!saletter").
Subject: Password taboos
I have two comments on password protection.
First, it's easy to tell people what not to do with
them come up with good passwords is not much more difficult,
on password security (including Chris Hare's article
on _How UNIX
Password Controls Work_) seldom touch on this topic.
Instead, we are told, "don't pick any real word
easily remembered combination of printable characters,"
are to pick something we can easily remember so we don't
have to write
There are a few simple tricks to aid with password generation
meet both the above goals. Naturally, they work best
that are obscure to begin with, but they will help with
Mixing alphabetics and non-alphabetics in some fashion
sense to you usually provides enough security. Systems
all printable (or even nonprintable) characters lend
to this, but even using numbers will help quite a bit.
The simplest case is to tack a number on at the beginning
or end of
a word. This is marginally more secure than the word
yet is to use a number or other non-alphabetic character
in a mnemonic
fashion. Consider the following table of substitutions
(use your imagination!)
||O, Q, U
||l, I, J
These are only what I consider the most obvious ones.
But these (if
used judiciously) increase the password "alphabet."
like 5har0n, k0mquat, or 5en1l3 are tougher to crack
than their regular
spellings (sharon, kumquat, senile).
Creative spellings and mnemonics help, also. Coworkers
and I have
successfully (in cracker-filled environments) used the
3lobyte (trilobite), sharf1sh (sharon likes fish), timbukE
substitution of 3 in the name of the group timbuk3).
Similarly, made-up words can work well. Simply pick
you like, or some sounds, and make a word. Use an obscure
another language, perhaps spelled phonetically. Mix
in the alternate
characters as you like, and "voila!" (literally,
will look like a fool if you say this aloud").
I have used a bogus word from the net which caught my
eye, with substitutions
as suggested above, for quite a while. Despite life
amongst some very
good pranksters, it has worked well. I interchange it
with a few other similar passwords. About the only way
these can be
cracked is by testing every (or random) passwords -
and nothing is
protection against that.
Second, I'm tired of hearing how dangerous password
are. People who want to crack your passwords *are* going
to have them!
You had better have programs as good as theirs to catch
Really secure sites use password programs such as SecureWare
in their trusted system - which won't even allow a user
to set a password
to something easily cracked. Without such a tool, however,
be prepared to run the COPS (or some other) cracker
on a regular basis.
My experience is that even with educated users, COPS
that 10% to 20% of your users will have unsafe passwords
-- and that's without testing against the system dictionary!
Encouraging system administrators to avoid password
crackers is like
suggesting the police go out to face drug dealers without
The substitution trick is neat, and easy to teach. Thanks
for sending it.
As for password crackers, I agree, the bright and diligent
intruders will have them. All the same, I don't have
to make things
easy for the dumber would-be intruders by publishing
the code here.
I got my first issue of Sys Admin, and it looks nice.
I'll miss the
root dragon however.
I especially enjoyed G. Clark Brown's article.
But there is one thing missing. It's simple to fix,
Where's the ftp address for the code from the articles???
In the U.S. you can access the code using uunet as a
We've been told that other sites are routinely archiving
this directory, but we don't have any addresses.
In the U.K. you can find the code at
I hope this helps. And thanks to David J. Young for
addresses and ftp information. --rlw
Our relationship has gotten off to a bad start. When
I first saw your
advertisements for Sys Admin, I was excited about the
I sent in my subscription request. I waited to see the
but all I got were several bills saying I must be enjoying
issue and asking me to send in money. After getting
several such notices
I called and asked when the first issue was due to be
sent out. I
was told it already had been sent and you would send
me another right
away. I got one. The postmark on the envelope was dated
July 1. A
day or two latter I got a notice postmarked July 2nd
"We've cancelled your subscription to Sys Admin.
Our records indicate
that we have not yet received a subscription payment
You are right, I have not yet sent in a payment. I was
not sure you
even had a magazine to sell. You might give me a few
days to look
it over before sending such a negative notice. At this
point in time,
your subscription service seems very questionable. Will
you be able
to maintain a magazine? If I send you a subscription
the money just disappear into a bit bucket of your bank
I never see another magazine? Several of my co-workers
in my experience before they request subscriptions.
Will service improve?
Please accept my sincerest apologies. I don't blame
a bit. If I were on the receiving end of this sequence,
I'd be miffed
too. If it makes any difference, you weren't alone --
we sent the
same inappropriate sequence of letters to several hundred
For what it's worth, though, it was never our intent
introduce you to the magazine in this way, and you needn't
our disappearing with your money. We've been publishing
information since 1981 and have been described by one
of our competing
publishers as "the most ethical publisher"
in the industry.
This problem is the result of not properly synchronizing
the mailing of this issue with the generation of the
Your magazine arrived, it just arrived very late. During
few weeks, our printer has been moving to a new plant
(they have a
couple of city blocks worth of plant to move!). Because
unable to bring a new press on-line as planned, they
wound up seriously
behind. One of our magazines was jobbed to a sister
plant in another
state. SA was just delayed by about two weeks.
Unfortunately we didn't coordinate well enough between
fulfillment and editorial departments. As a result,
letter series went out as originally scheduled. In most
wouldn't create a great problem, as only one or two
arrive before the magazine. Unfortunately, since the
mailed third class, the post office may also insert
delay that can vary by as much as two to three weeks
The bottom line: feel free to ignore these letters till
you get a magazine. You WILL receive at least one. --rlw
What a great publication! The staff here really likes
it. Keep up
the good work!
Robert K. Harber
Kansas City Power & Light Co.
Kansas City, MO
Thanks for the recognition. We'll do our best to keep
Subject: Source listing for July Sys Admin
I just downloaded the source listings for the July issue
Two things come to mind.
1) Consider publishing the internet address for uunet
your magazine. Most universities are able to ftp directly
but many users may not be aware of it. It's not clear
to me whether
uunet would be fond of having their addr published,
or whether they
would prefer that folks use the 900 number, but if uunet
its sure a lot easier for those with internet ties.
2) The first source listing I looked at, King Able's
script, has been corrupted. It looks like lines have
at something like 70 char wide. Actually, the lines
but the remainder is tacked on as a new line. Consider
line 11, in
the comments section. This one is easy to spot, since
it has no #
in col 1. But then consider line 72, which reads "<$TMP".
This line is actually supposed to be at the end of the
it, and of course the script itself fouls out pretty
badly if it's
not fixed. There are several other examples of the same
the script. For someone like me (hate typing code, don't
short scripts too much) this is still better than hand-keying
thing from the start. Others may be less charitable...
Anyway, if you are able to fix the files on uunet, let
me know and
I'll get the corrected ones.
By the way, the magazine is great! Both issues I've
seen have had
very useful things in them. A density of one-useful-item-per-issue
is higher than most any other magazine I receive; yours
has been a
good deal higher on each one so far. Keep 'em coming!
Thanks for the feedback. See the earlier letter for
ftp information. I apologize for the code -- the new
lines do not
appear in the magazine and since the files on uunet
are copies of
the files used in the magazine, there seems to be no
We've fixed the uunet files now. Thanks for not flaming
over the inconvenience.