Path: utzoo!utgpu!watmath!clyde!att!ucbvax!marc
From: marc@ucbvax.BERKELEY.EDU (Marc Teitelbaum)
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <27361@ucbvax.BERKELEY.EDU>
Date: 5 Jan 89 10:55:13 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <4523@xenna.Encore.COM> <27283@ucbvax.BERKELEY.EDU> <4546@xenna.Encore.COM>
Reply-To: marc@okeeffe.Berkeley.EDU.UUCP (Marc Teitelbaum)
Organization: CSRG, UC Berkeley
Lines: 39

In article <4546@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes:
>
>Round and round, and you're not disturbed at the fact that you're now
>...

The first problem I have with your argument is essentially this.  You
assume that file system security is weak enough that an average
hacker can gain access to the shadow password file.  I contend that
if the average hacker can accomplish this, then he doesn't *need*
to crack any passwords because he can *just* as easily gain access
to any other file in the filesystem.  And, after all, isn't that
what the hacker is after anyway.  Most of the interesting information
is contained in *files*, isn't it.  Then, if the average hacker is so 
facile at finding and gaining access to random files (shadow password
or otherwise), who the hell needs to crack passwords.

The second problem with your argument is that you overlook Henry's
point that no security is perfect, just that the more secure
system makes it that much *harder* to break in.  Puts up more road
blocks.  Leaves more trails for the careless. - Your argument is
that the perceived security of shadow password files will make the
system administrator more complacent, therefore it's undesireable.
Poppy cock.  That's a system administrator issue, and educating a
system administrator is a heck of a lot easier than educating the
entire user community.  I could just as easily argue that since
the file system protection is so insecure (to the point that any
hacker can access the shadow password file), then setting file
permissions is really a waste of time and just a delusion that your
files are secure.  Therefore, you're fooling yourself if you have
your umask set to anything other than 000.  I don't buy this - do you?

Marc

-------------------------------
Marc Teitelbaum			+1-415-643-6448
457 Evans Hall
Computer Systems Research Group,  CSRG / DEC
University of California
Berkeley, CA 94720