[1040] in Kerberos
Re: Trivial passwords
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Thu Jun 21 16:53:00 1990
From: smb@ulysses.att.com
To: marc@MIT.EDU
Cc: "Michael P. Ressler" <mpr@SUSHI.CTT.BELLCORE.COM>, kerberos@ATHENA.MIT.EDU
Date: Wed, 20 Jun 90 21:07:57 EDT
I think you misunderstand the use of these demo accounts. For
instance, I just set up a system using kerberos for DECworld. The
accounts all have a password of "demo". This is so people can come up
to a machine and just log in. Security is not what we are demoing
here; if it were, I would choose "good" passwords. Since it's not,
forcing people to remember "good" passwords is unnecessary and
cumbersome for the demoers and the demoees. If the server mandated
good passwords, I would not be able to have a simple system. If the
client did, I would find the "kbadpasswd" program and use that,
instead. I like what berkeley passwd does: if you insist enough, a
short or badly formed password will be accepted.
So, in this case, I maintain that a "good" password would be
inappropriate.
Test accounts are another matter. There was a widely known test
account (no doubt the rtm virus list would have hit the pw) at athena
which was just removed. A new test account was created, and that
password is only being given to people who need it.
Marc Horowitz
If one must have weak password, let kadmin create them, rather than
a user.
