[1038] in Kerberos
Re: Trivial passwords
daemon@ATHENA.MIT.EDU (Michael P. Ressler)
Wed Jun 20 10:21:30 1990
Date: Wed, 20 Jun 90 09:35:06 EDT
From: Michael P. Ressler <mpr@sushi.ctt.bellcore.com>
To: kerberos@ATHENA.MIT.EDU
I'm sure Marc Horowitz's statements will generate a lot of feedback from the group.
A system is only as strong as its weakest link. "Good" passwords are never
inappropriate. Demo and test accounts require passwords that are as "good"
as the passwords for all other accounts. Why bother with mechanisms such as
Kerberos and then open up a few back doors for demos and testing? Also,
if accounts and passwords are widely known and "bad" behavior occurs from
use of that account, who is to blame? There is no individual accountability
once you start to share accounts. So here we have shared accounts with
trivial passwords! Site policy should always require that all passwords are
"good" and there is no account sharing.
Mike Ressler
mpr@ctt.bellcore.com
