Xref: utzoo comp.protocols.tcp-ip:11550 alt.sys.sun:946 Path: utzoo!utgpu!watserv1!watmath!att!cbnewsh!wcs From: wcs@cbnewsh.att.com (Bill Stewart 201-949-0705 erebus.att.com!wcs) Newsgroups: comp.protocols.tcp-ip,alt.sys.sun Subject: Re: abolishing /etc/passwd (was Re: anonymous ftp, and the dangers thereof) Message-ID: <1990Jun4.223120.2106@cbnewsh.att.com> Date: 4 Jun 90 22:31:20 GMT References: <6703@blake.acs.washington.edu> <28764@ut-emx.UUCP> Organization: Your typical phone company involved in your typical daydream Lines: 38 In article <28764@ut-emx.UUCP> pmaniac@walt.cc.utexas.edu (Noah Friedman) writes: ]In article <6703@blake.acs.washington.edu> mrc@Tomobiki-Cho.CAC.Washington.EDU (Mark Crispin) writes: ]>... There are lessons to be learned, starting with the ]>abolishment of /etc/passwd and user access to the encryption ]>algorithm. ]/etc/passwd is quite useful. A number of my programs use information ]in this database, including the password field, so that other users ]can use their own passwords for various options while running my programs. /etc/passwd has become the traditional location for user-info other than passwords, so of course it needs to be kept, but I agree with the shadow-password approach that puts (encrypted) passwords in a non-world-readable file. Yes, this means that YOUR software can't use the real password, but this is good - I'm not going to trust my real password to non-system software, because of the increased risk of trojan horses and insecurity; terminal-lockers and such get their own passwords. ]If DES is breakable, then a new algorithm needs to be implemented. And ]users should be encouraged to choose good passwords, otherwise it ]doesn't matter what encryption mechanism is used. The point of the modified-DES used by UNIX is that it isn't the same as the real DES, so a real-DES breaker won't work, and a fast hardware implementation of real-DES will make it hard to search for obvious passwords. Unfortunately, though, people have gotten 10-fold speedups in password encryption through software, and hardware is 1-2 orders of magnitude faster than the old PDP-11 days (much more, if you have a network of machines to bum cycles off of). So DES isn't real secure enough either, given readable passwords. -- Thanks; Bill # Bill Stewart AT&T Bell Labs 4M312 Holmdel NJ 201-949-0705 erebus.att.com!wcs # Actually, it's *two* drummers, and we're not marching, we're *dancing*. # But that's the general idea.