[580] in Kerberos
Re: password checking
daemon@TELECOM.MIT.EDU (smb@RESEARCH.ATT.COM)
Mon Jan 9 19:07:19 1989
From: smb@RESEARCH.ATT.COM
To: chariot@ATHENA.MIT.EDU
Cc: Saltzer@ATHENA.MIT.EDU, jis@ATHENA.MIT.EDU, kit@ATHENA.MIT.EDU,
Well, at Athena at least, this is not too much of an issue. If
I remember the figures right, according to a recent study (if you want
detailed figures you'll have to ask Jeff Schiller), 50% of all athena
users log in during a two week period. (This figure is pretty rough but
gives the right idea) Hence, if the attacker collects all login sessions
for two weeks he has half the "password file".
First, in a widely distributed environment it isn't clear that all
sessions are observed; the intruder would presumably have to monitor
each net. Second, I do indeed suspect that unused accounts often have
the weakest passwords of all.
