Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!purdue!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn)
Newsgroups: comp.unix.questions
Subject: Re: How secure is UNIX?
Message-ID: <13086@smoke.BRL.MIL>
Date: 12 Jun 90 06:42:45 GMT
References: <1990May23.100928.10699@agate.berkeley.edu> <720016@hpclapd.HP.COM> <1990Jun10.083006.17475@athena.mit.edu>
Organization: U.S. Army Ballistic Research Laboratory, APG, MD.
Lines: 13

In article <1990Jun10.083006.17475@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes:
>  The elegance of the standard Unix security mechanism is that, given
>well-chosen and moderately-frequently-changed passwords, it doesn't
>*matter* whether or not someone can read the /etc/passwd file, because
>doing so *does not enable them to break the security of your system*,
>at least not in the short term.

While that was reasonably the case when this scheme was first devised,
it is certainly no longer true.  Thus, hiding the encrypted passwords
is now necessary for security, and if there are no other security
loopholes that suffices to protect the passwords.  Better authentication
schemes are welcome, but until one is widely adopted shadow encrypted
password files plug one of the biggest security gaps.