Xref: utzoo sci.crypt:1413 comp.unix.wizards:13633 news.sysadmin:1983 Path: utzoo!attcan!uunet!lll-winken!lll-lcc!ames!husc6!rutgers!att!ihlpb!nevin1 From: nevin1@ihlpb.ATT.COM (Liber) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: Re: Yet Another useful paper Message-ID: <9243@ihlpb.ATT.COM> Date: 22 Dec 88 00:10:21 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <2743@epimass.EPI.COM> <110@microsoft.UUCP> <12750@bellcore.bellcore.com> Reply-To: nevin1@ihlpb.UUCP (55528-Liber,N.J.) Organization: AT&T Bell Laboratories - Naperville, Illinois Lines: 42 In article <12750@bellcore.bellcore.com> karn@ka9q.bellcore.com (Phil Karn) writes: >My >fear is that it will make administrators complacent; they'll reason that >since no one can get at the file, then there's no need to ensure on a >regular basis that people pick hard-to-guess passwords. Any administrator who will reason this out probably has so many other security holes on his/her system that it won't really matter anyway. Do you really want someone that naive as your system's "most trusted user"? >The next thing you'd know, the crackers would be back because they figured >out somebody's trivial password by trial and error through the login prompt. >It doesn't take very long to try the simple permutations even that way. And by not putting shadow password files on the system, a cracker is going to think that it will be *harder* to break the system than if he couldn't read the password file? I have a very hard time believing this. >I think the password file should remain publicly readable, thereby giving >the administrators more of an incentive to police it regularly for >easy-to-guess passwords. If it is possible for your adminstrator to reason that there is no need to make sure passwords are hard to guess when shadow files are around, won't he/she also reason that there is no need to make sure passwords are hard-to-guess when the passwords themselves are crypted? These both follow the same line of reasoning (as a matter of fact, the second case is more likely since this is the well-known reason for being able to have /etc/passwd readable in the first place. For a reference, look at section 2.4 of K&P's "The Unix(R) Programming Environment"). Also, since most of the administors I know don't bother to police their password files manually (only the gurus at NSA can uncrypt in their head :-)), why would running their automatic tools be any different with shadow files? In this case, the less information given to a cracker, the better. It's just too easy to break into a system given an encrypted password file and a little knowledge about human nature. -- NEVIN ":-)" LIBER AT&T Bell Laboratories nevin1@ihlpb.ATT.COM (312) 979-4751