This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use. Key Words and Phrases: operating systems, passwords, computer security.
The password security on the UNIX time-sharing system is provided by a collection of programs whose elaborate and strange design is the outgrowth of many years of experience with earlier versions. The design is the result of a continuous competition between those trying to attack the system and those trying to resist such attacks. This competition has been in the same vein as the competition between manufacturers of armor plate and those of armor-piercing shells. The description will trace the history of the password system rather than simply presenting the program in its current state. The reasons for the design will be made clearer, as the design cannot be understood without also understanding the potential attacks.
An underlying goal has been to provide password security at minimal inconvenience to the users of the system. For example, those who want to run a completely open system without passwords, or to have passwords only at the option of the individual users, are able to do so, while those who require all of their users to have passwords gain a high degree of security against penetration of the system by unauthorized users.
The password system must be able not only to prevent any access to the system by unauthorized users but also to prevent users who are already logged in from doing things that they are not authorized to do. The so-called “super-user” password on the UNIX system is especially critical because the super-user has all sorts of permissions and has essentially unlimited access to all system resources.
Password security is only one component of overall system security, but it is an essential component. Experience has shown that attempts to penetrate remote-access systems have been astonishingly sophisticated.
Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.
The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason the password file had to be heavily protected against being either read or written. Although historically, this had been the technique used for remote-access systems, it was completely unsatisfactory for several reasonsThis paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use. Key Words and Phrases: operating systems, passwords, computer security.
The password security on the UNIX time-sharing system is provided by a collection of programs whose elaborate and strange design is the outgrowth of many years of experience with earlier versions. The design is the result of a continuous competition between those trying to attack the system and those trying to resist such attacks. This competition has been in the same vein as the competition between manufacturers of armor plate and those of armor-piercing shells. The description will trace the history of the password system rather than simply presenting the program in its current state. The reasons for the design will be made clearer, as the design cannot be understood without also understanding the potential attacks.
An underlying goal has been to provide password security at minimal inconvenience to the users of the system. For example, those who want to run a completely open system without passwords, or to have passwords only at the option of the individual users, are able to do so, while those who require all of their users to have passwords gain a high degree of security against penetration of the system by unauthorized users.
The password system must be able not only to prevent any access to the system by unauthorized users but also to prevent users who are already logged in from doing things that they are not authorized to do. The so-called “super-user” password on the UNIX system is especially critical because the super-user has all sorts of permissions and has essentially unlimited access to all system resources.
Password security is only one component of overall system security, but it is an essential component. Experience has shown that attempts to penetrate remote-access systems have been astonishingly sophisticated.
Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.
The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason the password file had to be heavily protected against being either read or written. Although historically, this had been the technique used for remote-access systems, it was completely unsatisfactory for several reasons