Date: Mon, 16 Dec 1996 00:03:01 GMT From: rb@gid.co.uk (Bob Bishop) To: Terry Lambert <terry@lambert.org> Cc: proff@iq.org, security@freebsd.org, hackers@freebsd.org Subject: Re: vulnerability in new pw suite Message-ID: <v01540b05aeda408c7c25@[194.32.164.2]>
next in thread | raw e-mail | index | archive | help
At 1:39 pm 15/12/96, Terry Lambert wrote: >Heh. > >Please define "unsafe" in the context of a functional (inaccessible for >pre-salt-based attacks) shadow password system. > >8-) 8-). > >I'm tired of having passwd not let me use whatever password I want, >considering that with a shadow file, the user will have to brute-force >it through /bin/login or equivalent. It seems the harder it becomes to >see my post-encryption password, the more anal the passwd command >becomes about making post-encryption passwords "safe" from attacks >which are impossible to institute unless root has been compromised. Yeah, fine on an isolated machine, but those pesky users also insist on using the same weak password on lots of different systems. So if some sleaze does manage to get root on your system and thus access to your shadow file, five gets you ten the user passwords he can now derive will work on neighbouring systems. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v01540b05aeda408c7c25>