|
|
| Author |
Message |
| 25 new of 226 responses total. |
remmers
|
|
response 50 of 226:
| 
Apr 11 10:12 UTC 1995 |
Me too.
|
sidhe
|
|
response 51 of 226:
|
Apr 11 22:35 UTC 1995 |
Fine, fine, fine. It still should not be a FORCED issue, though.
|
mdw
|
|
response 52 of 226:
|
Apr 11 23:21 UTC 1995 |
One of the problems with a root breakin is you never really know quite
what they did. You don't know if they managed to find a way to sniff on
the wire (and we did, once, catch one that had installed a very nice
program to watch all the traffic on the wire and capture passwords), and
you don't know what other mischief they could have been up to. I still
haven't seen a wording for motd that I really like. I'd like to find one
that is concise, non-alarmist, doesn't reward the cracker, but still
manages to strongly encourage users to change their password without
making it sounds like an Imperial Command from upon way upon high.
If you aren't careful, I may invite the members of the accordion cf to
submit suggestions. I fear it's possible you won't like any of their
ideas. However, *I* might....
Normally, I find Valerie to be one of the most cool-headed persons I
know, but I must take exception to her #42; it sounds as if she's asking
Selena to take a hike. I sure hope that wasn't Valerie's intent. But
even more, I sure wouldn't want Selena to not feel welcome and wanted
here. It's not at all necessary for her to be a member on the system,
either to make use of the system, or for her to express her opinion on
the running of the system here. I, for one, value her opinion, and
while I fear michigan law & the internet community won't allow us to
open up things as much as we'd like, that doesn't mean Selena's opinions
aren't valid or worth listening to. Even if we don't agree with Selena,
I do feel we owe it to ourselves, and to Selena, to make her feel
absolutely welcome.
|
adbarr
|
|
response 53 of 226:
|
Apr 12 01:54 UTC 1995 |
Ok, mdw - here is something to start from: "Periodic password changes
are necessary to keep Grex available for you. Please change your
password before X date. You may experience login failures after
that date. Thank you for supporting Grex."
|
mdw
|
|
response 54 of 226:
|
Apr 12 05:36 UTC 1995 |
Oh, my, I've obviously alarmed you with thoughts of those wild people
from the well. But that doesn't really do a good job of conveying the
special nature of this particular request and it manages to make some
specific threats which I don't think we wanted to make.
|
lilmo
|
|
response 55 of 226:
|
Apr 12 05:52 UTC 1995 |
Re #52: I fear you may be on a quixotic quest, looking for the "perfect" motd.
|
nephi
|
|
response 56 of 226:
|
Apr 12 11:32 UTC 1995 |
I too feel that feel that gregc and popcorn's remarks to selena
were against the stated purpose of Grex.
I have always thought that Co-op was a place where *anyone* was
welcome to voice his/her opinions.
If you don't agree with her arguements, attack those, not her.
|
srw
|
|
response 57 of 226:
|
Apr 12 19:07 UTC 1995 |
I think Valerie is being misunderstood, though I know she can answer
for herself. I am sure she did not intend to leave Selena with the feeling
that she isn't welcome. Valerie isn't like that. I consider Selena welcome,
too.
I, like Valerie, am surprised at how much Selena complains, and yet
she still has the fortitude to remain here. I hope Selena stays,
and I hope the staff can listen to her complaints and gain from them.
|
sidhe
|
|
response 58 of 226:
|
Apr 13 01:54 UTC 1995 |
Before it immediately sounds like I'm blowing off the aire of
compassion
toward Selena <or any dissedents>, I'm not. Selena, you are always welcome
to voice yourself here. Now, for the REAL reason I'm responding..
What is it that we MUST be forced to change these things?
It rubs me the entirely wrong way. It's like telling people to wake up after a
night's sleep.. Unnecessary to those of us who do, andd unaffective to those of
us who don't want to, as your change/change back scenario showed.
|
mwarner
|
|
response 59 of 226:
|
Apr 13 06:24 UTC 1995 |
I have no problem with the forced change. I can't imagine anything having
less infringement on my real or imagined freedom to do what I want the way
I want. Or it certainly is so many miles down the list that it would
never occur to me to be bugged by it. Having said that, I'd have to agree
that it probably isn't effective and not worth doing if it upsets anybody.
What is gained by a once a year change that is instantly reversible, above
and beyond the rush to flush that occurs when a "oops, we be cracked"
announcement is in order? Not enough to be worth the institution.
|
ajax
|
|
response 60 of 226:
|
Apr 13 15:26 UTC 1995 |
I don't like forced changes, but it's so trivial to work around,
I don't think it's worth the effort to change. You can just run
passwd twice to change your password back to its original...for
the few who are attached to their passwords, typing an extra couple
dozen keystrokes per year isn't a big deal!
|
lilmo
|
|
response 61 of 226:
|
Apr 14 04:00 UTC 1995 |
Frankly, I could easily forget a reminder between the time I see the motd and
the time I see a prompt... *shrug*
|
tsty
|
|
response 62 of 226:
|
Apr 14 09:40 UTC 1995 |
At the same time that I support the default values of accepting
thoroughly anonymous, internet-access memberships (see selena
items previously) I *also*!!, therefore, completely support the
concept and implementation of +system-demanded+ password changes
either on a time basis (a year, max), or upon information of a
breakin. This mandate would affect only those who +have+ full
internet access (protect your own), and would affect those who
join as members, being upgraded in access status.
My basis for this implementation is the concept of desiging
with the intent of "avoiding the opportunity for error" balanced
against "creating the opportunity for trust."
The concept in apragraph #1 supports "avoidance," and #2 supports
"trust," and the combination would appear to prevent an
internet-access-account from being sandbagged, or so I would hope.
|
selena
|
|
response 63 of 226:
|
Apr 15 08:19 UTC 1995 |
Umm.. I don't quite get the jist of it, tsty.. Come again?
|
selena
|
|
response 64 of 226:
|
Apr 15 08:30 UTC 1995 |
In response to 42 <popcorn> and the rest of the related
responses.. Thank you for those of you who welcome me, and my opinions,
here. To those of you who don't like my opinions, I'm sorry, but they
don't change because you'd like them better some other way.. And, as
I understood it, I am welcome to come here and gripe about things I don't
like, so long as I can stand to do so. Wondering at my stamina will do
nothing. I *will* speak up, if I object to something.. lately, there have
been no small number of things I disagree with. This doesn't mean I don't
like you. This means I don't like what you're saying. So, as is my right,
here, I say something back.
Now, enough of this drift item-within-an-item thing.. I was hurt
enough by gregc's and popcorn's responses, to begin with, without it
getting dragged all through the silly item. Put simpler.. where were we?
|
tsty
|
|
response 65 of 226:
|
Apr 15 10:31 UTC 1995 |
Ummmmmm, what appears to need "protection" is the internet
access. Only members have internet access. Members' passwords
ought to be "system-forced" to be changed at least once a year.
Guests' passwords don't +need+ a "system-forced" change. It's
a GoodIdea, but not necessarily a "forced" issue.
A breakin should trigger (one way or the other) a "force to change"
for those loginids with internet access. Other loginids can
change at will.
An upgrade in status from guest to member (and therefore internet
access) should "force" a password change.
Conclusions and policy suggestion derived from the concepts
in response #62.
|
davel
|
|
response 66 of 226:
|
Apr 15 14:25 UTC 1995 |
Um. TS, I hadn't thought of it that way, but that certainly makes a lot
of sense. (I'd also favor requiring all root passwords to expire a *lot*
more often than once per year, on similar grounds.)
|
steve
|
|
response 67 of 226:
|
Apr 15 15:12 UTC 1995 |
There is nothing special about members passwords, compared to non-
members.
Members can get on to the net, true, but I think e-mail is the
most likely possibility for getting Grex into trouble.
Don't worry about root passwords: they get changed too often as
it is.
|
selena
|
|
response 68 of 226:
|
Apr 18 04:16 UTC 1995 |
Hey, all I'm saying is I'm with sidhe- it does no good, so why
piss people off with it?
|
steve
|
|
response 69 of 226:
|
Apr 18 04:53 UTC 1995 |
Ah, but it does do good. Many people have written me, asking
about the reasons for the change, asked for suggestions about what
makes for a good password, and then, grudgingly, changed them.
Although it doesn't affect Grex, it gets other people to thinking
about passwords in general, and why a 13 year old password isn't
such a good idea (that came from a newuser here who used the UM's
large computer, and saw no reason to not use that password 'till I
talked to him).
Passwords are seen as one of these "magic" things; people think
of something thats "easy", like a SO's name, completely unaware of
the security issues involved.
It doesn't stop at computer paswords, either. Your PIN on your
ATM card is often something that you can specify or change these
days. Because of this, you can set your password to something *really*
bad. Several years ago I was going to lunch with someone who'd just
gotten me a consulting job, so I took her out to lunch. She wanted to
stop by the ATM and get some money for shopping, so I stopped off by
her drive-through bank. She gave me her card since she was too lazy
to get out and walk around to do it herself (lazy, eh?). Anyway,
she was about to tell me her PIN when I said I'd try it. The first
attempt I used didn't work. The second one did. She was dumbfounded.
She asked, how did I know? Simple. When I met her where she worked, I
saw lots and lots and LOTS of pictures of her kids. Since I knew the
birthdates of each of them, I tried the birth month/year of the
oldest child, 0480. That didn't work, so I tried 0781 for the second,
and that worked.
She changed her PIN soon after that.
There really are reasons to become "password aware".
|
srw
|
|
response 70 of 226:
|
Apr 19 15:51 UTC 1995 |
From the NY times magazine - Sunday 4/16 p.20
Crasswords, by James Gleick
(excerpted)
I had a good password onece. I lost it to modern vandals who cracked an
internet node with a password-sniffing program that sat quietly in the
shadows and recorded everyone's connections t other sites across the planet.
In the aftermath, there was my password, S!itnol (the first letters of a
Supremes song -- and you're welcome to it), shockingly exposed near the
end of a security agency printout. It was ike walking into a gallery and
seeing your own nude posture photo. And what a loss! A good password is
hard to find.
A bad password is probably what you are using now, or soon will -- for at this
peculiar moment in human history we find ourselves obliged t opunch in
special sequences of characters before we can go on line, or get cash
from a machine, or check voice mail, or turn off a house alarm, or
telephone with a credit card, or reactvate a car radio, or secure a
spreadsheet or word processor document. Lizzie and 123184 are screamingly
bad passwords, especially if they happen to be the name and birth daye of
your firstborn. Gandalf is a bad password; so is any obscenity in any
earthly language; so is any name ever used in any episode of "Star Trek"
So are eizziL and 481321 -- passwork crackers do use computers, you know,
and the on-line message groups are always hopping with queries like this
one from a gentleman in Kuwait: "hi there. I want a program which can get
others PassWord. E-mail me Please. Nassib."
Open Sesame just won't cut it any more, eh, Nassib? Passwords have bedome
defining tokens of our electronic age -- no longer the province of
sentries and spies. We've reached a level of interactive networked
existence where faceless human contact is the rule, and every connection
requires the magic word, not to get the treasure or enter a speak-easy,
but just to take the first step: validate our puny existence; prove we're
who we say we are.
[lots of stuff missing here. You should really go read the original
It continues...]
It's both good and bad that password creativity has come so far since
"Who's there?" "Nay, answer me. Stand and unfold yourself."
"Long live the King." A password is more than just a flaky kind of
fingerprint. We still want passwords to be romantic, not just utilitarian.
We reveal ourselves in our passwords. That may be the one reason it hurts
to lose a good one. Passwords are about identity, after all. Choosing
xerxes or donjuan is a grown-up equivalent of wearing power ranger underwear.
[there's a lot more, but that's all I could type in.]
I think the author is right about why people become attached to their
passwords. I think we should all be thinking long and hard about this.
|
rcurl
|
|
response 71 of 226:
|
Apr 19 16:37 UTC 1995 |
When I "had" to change my password (under the threat of every cybervandal
on the web sniffing my old one), I concocted one derived from all four
rows of the keyboard (hah! a clue!). It has taken me *3 WEEKS* to
remember it, and even yet I have to rethink the encryption algorithm
upon which it is based. This represents perhaps five minutes of every
day, stolen from my allotted fifteen minutes of fame, which adds up to
*#)$$* HOURS in my planned lifetime! I think the scheme was learned from
the IRS, who also are in business to fill your time because you have
better things to do.
|
steve
|
|
response 72 of 226:
|
Apr 19 17:21 UTC 1995 |
The easy way to come up with an obscure password is pretty simple.
Take a piece of literature you like, and use the first letter (or
maybe last) of each word in that phrase.
So, "These are times that try mens souls." becomes "Tatttms."
That pw is OK, but not great. It could be longer. But you get
the idea.
Here on Grex your password can be up to 16 characters long.
|
tsty
|
|
response 73 of 226:
|
Apr 19 19:50 UTC 1995 |
Ummmm, I am confused about something said above:
>#67 of 72: by STeve Andre' (steve) on Sat, Apr 15, 1995 (10:12):
> There is nothing special about members passwords, compared to non-
> members.
> Members can get on to the net, true, but I think e-mail is the
> most likely possibility for getting Grex into trouble.
>
If internet access is the "problem," there there has to be something
special about members' passwords, by definition.
If email is the "problem," there isn't the slightest support for our
current "verification dance" given that we have (correctly) decided
to allow an open newuser process.
I'm reading a phenominal large, gaping, logical inconsistancy here.
Oh, and btw, to add a question to/from another related item, how
many problems, to date, have arisen from email, or Usenet news
postings (when we had them)? << and i don't mean from some dweebishly
over-sensitive usenet news reader, either >>.
|
steve
|
|
response 74 of 226:
|
Apr 19 20:13 UTC 1995 |
TS, the problem with stealing passwords isn't any greater or lesser
when you compare members and non-members on Grex. The potential for
harm is great enough even through the stealing of a well known non
members account that (I think) it equals stealing a members pw.
The reason for verification is to discourage people from becoming
members solely for the purpose of using Grex as another jump point
in a multiple site telent session for neferious deeds. As I've said
before, the number of times I've seen a new account try telnetting a
few times immediately after creating an account is impressive. Some
of them then bring over the source to telnet in the hopes that it is
a modified telnet that prevents them from getting onto the net.
It's people like that, that we're attempting to protect ourselves
from.
|