Cover V01, I03


New Messages

We ask that letters with code listings be submitted in an ASCII text file on an MS-DOS formatted disk or via email. Our net address is: ("...!uunet! rdpub!saletter").

Subject: Password taboos
I have two comments on password protection.

First, it's easy to tell people what not to do with passwords; helping them come up with good passwords is not much more difficult, but articles on password security (including Chris Hare's article on _How UNIX Password Controls Work_) seldom touch on this topic.

Instead, we are told, "don't pick any real word or other easily remembered combination of printable characters," yet we are to pick something we can easily remember so we don't have to write it down!

There are a few simple tricks to aid with password generation that meet both the above goals. Naturally, they work best with passwords that are obscure to begin with, but they will help with even simple passwords.

Mixing alphabetics and non-alphabetics in some fashion which makes sense to you usually provides enough security. Systems which allow all printable (or even nonprintable) characters lend themselves best to this, but even using numbers will help quite a bit.

The simplest case is to tack a number on at the beginning or end of a word. This is marginally more secure than the word itself. Better yet is to use a number or other non-alphabetic character in a mnemonic fashion. Consider the following table of substitutions (use your imagination!)

This Can replace
0 O, Q, U
1 l, I, J
2 Z
3 E
4 q
5 S
6 b
8 B
9 g

These are only what I consider the most obvious ones. But these (if used judiciously) increase the password "alphabet." Passwords like 5har0n, k0mquat, or 5en1l3 are tougher to crack than their regular spellings (sharon, kumquat, senile).

Creative spellings and mnemonics help, also. Coworkers and I have successfully (in cracker-filled environments) used the following: 3lobyte (trilobite), sharf1sh (sharon likes fish), timbukE (reverse substitution of 3 in the name of the group timbuk3).

Similarly, made-up words can work well. Simply pick some syllables you like, or some sounds, and make a word. Use an obscure word from another language, perhaps spelled phonetically. Mix in the alternate characters as you like, and "voila!" (literally, "you will look like a fool if you say this aloud").

I have used a bogus word from the net which caught my eye, with substitutions as suggested above, for quite a while. Despite life amongst some very good pranksters, it has worked well. I interchange it occasionally with a few other similar passwords. About the only way these can be cracked is by testing every (or random) passwords - and nothing is protection against that.

Second, I'm tired of hearing how dangerous password cracking programs are. People who want to crack your passwords *are* going to have them! You had better have programs as good as theirs to catch sloppy users. Really secure sites use password programs such as SecureWare provides in their trusted system - which won't even allow a user to set a password to something easily cracked. Without such a tool, however, you should be prepared to run the COPS (or some other) cracker on a regular basis. My experience is that even with educated users, COPS will uncover that 10% to 20% of your users will have unsafe passwords until confronted -- and that's without testing against the system dictionary! Encouraging system administrators to avoid password crackers is like suggesting the police go out to face drug dealers without guns.

Miles O'Neal
Pencom Software
Austin, TX

The substitution trick is neat, and easy to teach. Thanks for sending it.

As for password crackers, I agree, the bright and diligent intruders will have them. All the same, I don't have to make things easy for the dumber would-be intruders by publishing the code here. --rlw

Subject: comment...

I got my first issue of Sys Admin, and it looks nice. I'll miss the root dragon however.

I especially enjoyed G. Clark Brown's article.

But there is one thing missing. It's simple to fix, though.

Where's the ftp address for the code from the articles???

David Lesher!

In the U.S. you can access the code using uunet as a bridge.


Location: /published/sysadmin/1992

We've been told that other sites are routinely archiving this directory, but we don't have any addresses.

In the U.K. you can find the code at


Location: /published/sysadmin/1992

I hope this helps. And thanks to David J. Young for the addresses and ftp information. --rlw

Subject: Subscription

Our relationship has gotten off to a bad start. When I first saw your advertisements for Sys Admin, I was excited about the new magazine. I sent in my subscription request. I waited to see the first issue but all I got were several bills saying I must be enjoying my first issue and asking me to send in money. After getting several such notices I called and asked when the first issue was due to be sent out. I was told it already had been sent and you would send me another right away. I got one. The postmark on the envelope was dated July 1. A day or two latter I got a notice postmarked July 2nd saying:

"We've cancelled your subscription to Sys Admin. Our records indicate that we have not yet received a subscription payment from you."

You are right, I have not yet sent in a payment. I was not sure you even had a magazine to sell. You might give me a few days to look it over before sending such a negative notice. At this point in time, your subscription service seems very questionable. Will you be able to maintain a magazine? If I send you a subscription payment, will the money just disappear into a bit bucket of your bank account and I never see another magazine? Several of my co-workers are interested in my experience before they request subscriptions. Will service improve?

Dana Price

Please accept my sincerest apologies. I don't blame you a bit. If I were on the receiving end of this sequence, I'd be miffed too. If it makes any difference, you weren't alone -- we sent the same inappropriate sequence of letters to several hundred other subscribers.

For what it's worth, though, it was never our intent to introduce you to the magazine in this way, and you needn't worry about our disappearing with your money. We've been publishing technical information since 1981 and have been described by one of our competing publishers as "the most ethical publisher" in the industry.

This problem is the result of not properly synchronizing the mailing of this issue with the generation of the billing sequence. Your magazine arrived, it just arrived very late. During the last few weeks, our printer has been moving to a new plant (they have a couple of city blocks worth of plant to move!). Because they were unable to bring a new press on-line as planned, they wound up seriously behind. One of our magazines was jobbed to a sister plant in another state. SA was just delayed by about two weeks.

Unfortunately we didn't coordinate well enough between the fulfillment and editorial departments. As a result, the automated letter series went out as originally scheduled. In most cases this wouldn't create a great problem, as only one or two letters would arrive before the magazine. Unfortunately, since the publication is mailed third class, the post office may also insert an additional delay that can vary by as much as two to three weeks from subscriber to subscriber.

The bottom line: feel free to ignore these letters till you get a magazine. You WILL receive at least one. --rlw

Subject: Thanks!

What a great publication! The staff here really likes it. Keep up the good work!

Robert K. Harber
Kansas City Power & Light Co.
Kansas City, MO


Thanks for the recognition. We'll do our best to keep earning it. --rlw

Subject: Source listing for July Sys Admin

I just downloaded the source listings for the July issue from Two things come to mind.

1) Consider publishing the internet address for uunet archives in your magazine. Most universities are able to ftp directly to uunet, but many users may not be aware of it. It's not clear to me whether uunet would be fond of having their addr published, or whether they would prefer that folks use the 900 number, but if uunet is game, its sure a lot easier for those with internet ties.

2) The first source listing I looked at, King Able's "rts" script, has been corrupted. It looks like lines have been truncated at something like 70 char wide. Actually, the lines aren't truncated, but the remainder is tacked on as a new line. Consider line 11, in the comments section. This one is easy to spot, since it has no # in col 1. But then consider line 72, which reads "<$TMP". This line is actually supposed to be at the end of the line above it, and of course the script itself fouls out pretty badly if it's not fixed. There are several other examples of the same problem throughout the script. For someone like me (hate typing code, don't mind debugging short scripts too much) this is still better than hand-keying the thing from the start. Others may be less charitable...

Anyway, if you are able to fix the files on uunet, let me know and I'll get the corrected ones.

By the way, the magazine is great! Both issues I've seen have had very useful things in them. A density of one-useful-item-per-issue is higher than most any other magazine I receive; yours has been a good deal higher on each one so far. Keep 'em coming!

Rich Baldwin!

Thanks for the feedback. See the earlier letter for the ftp information. I apologize for the code -- the new lines do not appear in the magazine and since the files on uunet are copies of the files used in the magazine, there seems to be no rational explanation. We've fixed the uunet files now. Thanks for not flaming over the inconvenience. --rlw