Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!archimedes.math.uwm.edu!jgreco From: jgreco@archimedes.math.uwm.edu (Joe Greco) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: <6773@uwm.edu> Date: 5 Oct 90 01:23:44 GMT References: <50845@brunix.UUCP> <4086@auspex.auspex.com> <3346:Sep2422:01:3090@kramden.acf.nyu. <936@mwtech.UUCP> Sender: news@uwm.edu Organization: University of Wisconsin, Milwaukee - Department of Mathematics Lines: 26 In comp.unix.internals article , bzs@world.std.com (Barry Shein) wrote: : :One simple and non-intrusive defense against most such attacks would :be if, on successful login, the system would just tell you how many :unsuccessful login attempts there have been on your account. : :This could be accomplished via a database only writeable by root. Of :course, the printout could just be the output of a simple program run :in your login script (itself somewhat secure, reporting only on the :real uid, but that's not so critical as it's the ability to increment :the count or zero it out which must be secure, not just report it.) Hold on! Then what point is served? The "printout" would have to be performed by login itself. Having a suid program or some similar "external" program would be useless - it could just as easily be called by a spoofer. ... Joe ------------------------------------------------------------------------------- Joe Greco - University of Wisconsin, Milwaukee - Department of Mathematics jgreco@archimedes.math.uwm.edu USnail: Joe Greco Voice: 414/321-6184 9905 W. Montana Ave. Data: 414/321-9287 (Happy Hacker's BBS) West Allis, WI 53227-3329 ICBM: 43 05 20 N 87 53 10 W #include Disclaimer: I don't speak for the Math Department, the University, or myself.