[4673] in Kerberos
Re: Software for front-end to kerberos database
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Thu Feb 23 08:12:10 1995
To: kerberos@MIT.EDU
Date: 23 Feb 1995 13:06:10 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
Someone else has already mentioned the support for a password dictionary in
Cygnus' Kerberos code base. I'm not sure if that was taken from the MIT
Kerberos 4 distribution or developed separately, but I know that the MIT
Kerberos 4 distribution (the most recent release of it, at least), does have
support for checking passwords against a dictionary when they are changed.
A number of years ago at MIT, before they implemented the code to check
passwords when they're changed, I wrote a program to encrypt a database of
words and compare all of them against all the passwords in the database. We
ran that program against the ATHENA.MIT.EDU realm's Kerberos database and
netted something like 30% of all passwords in the database, including the
"diety" instance of one of the database maintainers (MIT uses the "diety"
instance to represent people who have write access to the Kerberos database
through kadmin/kadmind). Needless to say, that person was encouraged to
change his password :-). Perhaps they used portions of my code when
implementing the quality-checking code they've got in the distribution now.
In any case, good quality checking when passwords are changed, obviates the
need for something like "crack".
OpenVision's Kerberos 5 product, OpenV*Secure, includes support for password
policies and allows different principals to be assigned password policies.
Passwords are checked against a dictionary when they are changed, as well as
checked for minimum length, minimum number of character classes, and stuff
like that. Password expiration is also supported.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
