Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!gatech!hubcap!ncrcae!rogerc From: rogerc@ncrcae.Columbia.NCR.COM (Roger Collins) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Message-ID: <4038@ncrcae.Columbia.NCR.COM> Date: 3 Jan 89 15:16:27 GMT Reply-To: rogerc@ncrcae.Columbia.NCR.COM (Roger Collins) Organization: NCR - E & M Columbia Lines: 51 In article <4546@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: > > >I like some form of shadow passwords as a solution. Once they're in place, > >you no longer care what the user picks for a password, as long as it's N > >characters long and not the account name. > > > >Keith Bostic > > Round and round, and you're not disturbed at the fact that you're now > relying on the unreadability of the shadow file? How many ways are > there to read a read-protected file? How do you know it has been read > by an unauthorized person (or a disgruntled employee)? If you suspect > it has been read what is the appropriate action (I can answer that, > change every password on the system, wotta nuisance.) > > -Barry Shein, ||Encore|| Same reasoning: Conventional door locks are not perfect. So, rather than let myself be lulled into complacency by locking the door, I will just wait till newer technology makes a perfect lock. Hell, I better start research now so my house can be safe once and for all. Now, seriously: o Almost every C programmer knows how to write a brute force program to crack passwords in a readable password file. o Only a very small percentage of Unix users (experts) know about holes and such to read unreadable files. (And a knowledgeable administrator can decrease this percentage by plugging these holes as they are made known by other experts.) o Shadow password file DOES NOT encourage people to use sloppy passwords. Your passwd program or /etc/motd can be just as annoying as it ever was :). o Security will still improve. I'm sure that all security development will NOT just stop because shadow passwording solves all the problems. The problem is not being "swept under the rug." Enough. What ever happened to the campaign for comp.security or comp.unix.security or whatever? -- Roger Collins rogerc@ncrcae.Columbia.NCR.COM