Path: utzoo!attcan!uunet!world!bzs From: bzs@world.std.com (Barry Shein) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: Date: 28 Sep 90 05:42:17 GMT References: <50845@brunix.UUCP> <4086@auspex.auspex.com> <3346:Sep2422:01:3090@kramden.acf.nyu. <936@mwtech.UUCP> Sender: bzs@world.std.com (Barry Shein) Organization: The World Lines: 26 In-Reply-To: martin@mwtech.UUCP's message of 26 Sep 90 10:39:55 GMT One simple and non-intrusive defense against most such attacks would be if, on successful login, the system would just tell you how many unsuccessful login attempts there have been on your account. This could be accomplished via a database only writeable by root. Of course, the printout could just be the output of a simple program run in your login script (itself somewhat secure, reporting only on the real uid, but that's not so critical as it's the ability to increment the count or zero it out which must be secure, not just report it.) Being as most of these programs would tell you you mistyped your password (after squirreling it away) seeing "Unsuccessful logins: 0" would indeed be suspicious a moment later. You would change your password immediately and report it if appropriate. Such a program would also let you know if someone has been trying to guess your password (Unsuccessful logins: 123). Of coure, if they broke into that db then who cares, they have root access, you're dead meat anyhow. -- -Barry Shein Software Tool & Die | {xylogics,uunet}!world!bzs | bzs@world.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD