Path: utzoo!attcan!uunet!decwrl!world!bzs From: bzs@world.std.com (Barry Shein) Newsgroups: comp.unix.internals Subject: Re: Finding Passwords Message-ID: Date: 5 Oct 90 14:58:01 GMT References: <50845@brunix.UUCP> <4086@auspex.auspex.com> <3346:Sep2422:01:3090@kramden.acf.nyu. <936@mwtech.UUCP> <6773@uwm.edu> Sender: bzs@world.std.com (Barry Shein) Organization: The World Lines: 33 In-Reply-To: jgreco@archimedes.math.uwm.edu's message of 5 Oct 90 01:23:44 GMT >Hold on! Then what point is served? The "printout" would have to be >performed by login itself. Having a suid program or some similar "external" >program would be useless - it could just as easily be called by a spoofer. You missed my point. The scenario: Trojan horse or whatever that grabs your password, notes it, reports "Login incorrect" and then cycles the real login program. User thinks s/he just typo'd and enters it again. If there were a program in your .login or .profile, call it logbad, which queried the number of bad attempts and printed something like: 0 bad logins since last successful on Nov 9, 1965 20:06 you would be able to say "hmm, I just got a login incorrect WHY IS THAT COUNT ZERO!!!" Now, I guess the spoofer could walk over to another terminal and cause one bad login to occur. Perhaps a "logbad -l" should be run by hand when suspicions arise which would report the exact time and terminal each bad login occurred (it would be easy to store such info.) This sort of scheme does work, its only flaw is that it relies on a user who cares to think. But there are only a few strange conditions that people would really need to pay attention to (zero bad logins right after a known bad, or dozens of them at any time.) -- -Barry Shein Software Tool & Die | {xylogics,uunet}!world!bzs | bzs@world.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD