From owner-freebsd-hackers Wed Nov 5 03:46:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id DAA04894 for hackers-outgoing; Wed, 5 Nov 1997 03:46:39 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id DAA04889 for ; Wed, 5 Nov 1997 03:46:35 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id LAA24890; Wed, 5 Nov 1997 11:46:17 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id MAA29950; Wed, 5 Nov 1997 12:46:16 +0100 (MET) Message-ID: <19971105124616.58971@bitbox.follo.net> Date: Wed, 5 Nov 1997 12:46:16 +0100 From: Eivind Eklund To: Terry Lambert Cc: tom@sdf.com, hackers@FreeBSD.ORG Subject: Re: Password verification (Was: cvs commit: ports/x11/kdebase - Imported sources) References: <19971103191349.30502@bitbox.follo.net> <199711042333.QAA24121@usr02.primenet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69e In-Reply-To: <199711042333.QAA24121@usr02.primenet.com>; from Terry Lambert on Tue, Nov 04, 1997 at 11:33:29PM +0000 Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, Nov 04, 1997 at 11:33:29PM +0000, Terry Lambert wrote: > > > > Is it restricted to only let a user check his own password? Or could > > > > we make it only check a users own password fairly easily? > > > > > > How would that be useful? > > > > Security. If a user can check other people's passwords, he can > > brute-force passwords. If he can't, he can't. :-) > > /usr/bin/login > rshd > telnetd > rlogind > pop3d > > ....uh, the user can already check other peoples passwords this way. The only one of these that is universal is /usr/bin/login; it still contain a slow-down to make it hard to use for brute-force attacks. And I'd still say that verifying his/her own password is a priviledge that is logical for a user to have; checking other people's passwords isn't (or at least isn't in the same category.) Eivind.