From owner-freebsd-security Thu May 31 16:55: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 1B5ED37B422 for ; Thu, 31 May 2001 16:55:03 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f4VNsmT12938 for ; Thu, 31 May 2001 16:54:49 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3B16D9C8.2F6CE52E@ursine.com> Date: Thu, 31 May 2001 16:54:48 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) References: <200105312300.f4VN0RD24448@cwsys.cwsent.com> <20010601013041.A32818@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > > I was > surprised when I read about the compromise, because it gives the impression > that people are still using passwords (as opposed to keys with passphrases) > for authentication in this day and age. Is that correct? If so, why is that? Yeah, I'd say it's correct. As to why, I can think of two reasons. 1) It's easier to use ssh with passwords, and just not be "bothered" with the key maintenance. 2) The password is sent encrypted, not in cleartext, and that is in many people's minds one of the most important benefits of using ssh. The extra safety of keys is just not always seen as being worth the extra work. [And I'm not arguing either side of that issue, different people believe or prioritize in different ways...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message