[7670] in Kerberos
Re: password policies?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Jul 24 20:45:16 1996
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: guthrie@miu.edu, kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 24 Jul 1996 20:39:48 -0400
In-Reply-To: Ken Hornstein's message of Tue, 23 Jul 1996 23:08:16 -0400
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> Q1: should we have the kerberos and POP passwords be the same,
>> or different?
Ken> Note that unless you're having everyone used Kerberized POP,
Ken> having your POP passwords the same as you Kerberos passwords
Ken> defeats the entire point of Kerberos. So I would either say
Ken> make them different, or force everyone to use Kerberized POP
This depends on what you are using Kerberos for. It was
designed as a security system, and certainly, if you are using it as a
security system, you ideally want to have Kerberos passwords not be
sent unencrypted.
Assuming, however, that you are an ISP using Kerberos as a
database for storing passwords that is more secure than NIS, then
having these passwords be the same may be reasonable.
>> Q2: are there any good password generators for our
>> administrators; I do not want completely random passwords, but
>> at least using "trigraph" string probablities to help make them
>> readable (rememberable).
Be careful. It is generally a better idea to allow users to
choose their own passwords than to generate them automagically. I
guess semi-random passwords might be reasonable for new accounts and
for password resets, but users should be encouraged/required to change
their passwords.
Ken> Can't help you on this one, sorry.
Ken> --Ken
