Jima wrote: >On Tue, 24 May 2005, steve ulrich wrote: > > >>hmm - i have the same password on possibly thousands of boxes. i'll >>have to get the NIS+ admins on that pronto. >> >> > > And if someone managed to get root on one of those NIS+-managed machines, >they'd be able to get to your encrypted password, right? Right? > Slightly different subject, IMO. > > Jima > > I think its pretty easy to argue that passwords, at least passwords alone, are an idea whose time has come and gone. I've recently gone through a bunch of the various password checkers, PAM modules, etc. and it certainly appears that they impose sufficient restrictions on what constitutes an acceptable password that they actually make the resulting passwords more vulnerable to brute force attacks. If you look at the reduced keyspace that comes from requiring specific character classes, the elimination any passwords that contain character strings of 3 characters or more that appear in any of the specified dictionaries, and just the psychology of memory it seems like you should be able to build a smart password cracker to exploit those enforced weaknesses - maybe a project for the summer :-) --rick