Path: utzoo!attcan!uunet!lll-winken!csd4.milw.wisc.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!adam.pika.mit.edu!scs
From: scs@adam.pika.mit.edu (Steve Summit)
Newsgroups: comp.unix.wizards
Subject: Re: Learning about remote users
Message-ID: <9925@bloom-beacon.MIT.EDU>
Date: 18 Mar 89 05:02:18 GMT
References: <199@minya.UUCP> <10561@yendor.phx.mcd.mot.com>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: scs@adam.pika.mit.edu (Steve Summit)
Lines: 25

In article <10561@yendor.phx.mcd.mot.com> stefan@yendor.UUCP (Stefan Loesch) writes:
>What I did, was modifying login.c, so that whenever the code for the
>dialup password was executed, login would write the following data to a
>certain logfile:
> username password dialuppassword time

Why, pray tell, did you record the password(s) in the log file?
How careful were you to protect the file against inadvertent read
access?  How carefully did you protect every backup tape made of
the filesystem on which it resided?  How did you inspect the file
yourself without learning people's passwords?  (I don't know
about you, but I do *not* *want* to know people's passwords.  For
instance, whenever I write a password-cracking program to check
for insecure passwords, I make its output file mode 000, and do

	chmod 400 file;wc file;chmod 000 file

if I want to know how many it found.)

This issue is discussed here from time to time, and the consensus
is generally that recording unencrypted passwords, including
mistyped ones, is a bad idea.

                                            Steve Summit
                                            scs@adam.pika.mit.edu