From owner-freebsd-security Sun Dec 15 13:43:07 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA02225 for security-outgoing; Sun, 15 Dec 1996 13:43:07 -0800 (PST) Received: from dfw.dfw.net (aleph1@[198.175.15.10]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id NAA02187; Sun, 15 Dec 1996 13:43:00 -0800 (PST) Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA19213; Sun, 15 Dec 96 15:40:44 CST Date: Sun, 15 Dec 1996 15:40:43 -0600 (CST) From: Aleph One To: Terry Lambert Cc: Bob Bishop , proff@iq.org, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: vulnerability in new pw suite In-Reply-To: <199612152039.NAA23837@phaeton.artisoft.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 15 Dec 1996, Terry Lambert wrote: > I'm tired of having passwd not let me use whatever password I want, > considering that with a shadow file, the user will have to brute-force > it through /bin/login or equivalent. It seems the harder it becomes to > see my post-encryption password, the more anal the passwd command > becomes about making post-encryption passwords "safe" from attacks > which are impossible to institute unless root has been compromised. Just because the passwd is shadowed does not mean it wont be cracked. The are programs that will brute force passwords using POP, TELNET, RSH, etc. > > Regards, > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01