Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!usc!ucsd!ucbvax!mtxinu!unisoft!hoptoad!peora!tarpit!bilver!bill From: bill@bilver.UUCP (Bill Vermillion) Newsgroups: comp.unix.wizards Subject: Re: What should the password/security/userinfo/login system include? Message-ID: <398@bilver.UUCP> Date: 11 Dec 89 15:05:29 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <1236@ispi.UUCP> <1989Dec9.053433.5407@chinet.chi.il.us> Reply-To: bill@bilver.UUCP (Bill Vermillion) Distribution: usa Organization: W. J. Vermillion, Winter Park, FL Lines: 49 In article <1989Dec9.053433.5407@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: >In article <1236@ispi.UUCP> jbayer@ispi.UUCP (Jonathan Bayer) writes: > >>>I want logging of *all* keystrokes during a failing attempt at logging >>>in. > >>This is not a good idea. If someone unauthorized sees this log file >>they would have a fairly good idea of some of the passwords on the >>system. > >If they are written to a file that can only be read by root, why >should I worry about that? If someone can already get root permissions >why would they want to know any other passwords? I have noticed that when people choose a password, the next time they choose a password it is along the same line - eg, names, cars, things, ... If there is an unscrupulous SA, and failed attempts at logging are recorded, there is a good chance that person will be able to quickly figure these user acounts on other machines, that perhaps this root user doesn't have access too. Often users have the same p'word on more than one system. I am guilty of that on one site that I has 11 machines I am semi-responsible for. (There are 6 people who have access to the list of root passwords for these machines.). They could get to any accounts, but I wouldn't like them to be able to see what I type for a password for my own login on those machines, as it would give them an indication of how I choose passwords. (Human nature being what it is we usually build passwords that we can remember.). >Indeed, and when that person calls me and asks why they can't get in >to the system, I'd like to be able to tell them. What's wrong with just noting that user xxxx was rejected for bad password? >... In that vein, I'd personally like to strangle the person who >in invented automatic password aging. I'll agree on that point. >Les Mikesell (P.S. Les - I did get the disks last year, but about 5 attempts to mail you acknowledgement and thanks - got bounced). bill -- Bill Vermillion - UUCP: {uiucuxc,hoptoad,petsd}!peora!tarpit!bilver!bill : bill@bilver.UUCP