Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ncar!noao!asuvax!yendor!stefan
From: stefan@yendor.phx.mcd.mot.com (Stefan Loesch)
Newsgroups: comp.unix.wizards
Subject: Re: Learning about remote users
Message-ID: <10574@yendor.phx.mcd.mot.com>
Date: 20 Mar 89 18:48:16 GMT
References: <199@minya.UUCP> <10561@yendor.phx.mcd.mot.com> <9925@bloom-beacon.MIT.EDU>
Reply-To: stefan@yendor.UUCP (Stefan Loesch)
Organization: Motorola Microcomputer Division, Tempe, Az.
Lines: 27

In article <9925@bloom-beacon.MIT.EDU> scs@adam.pika.mit.edu (Steve Summit) writes:
>
>Why, pray tell, did you record the password(s) in the log file?
I wanted to see ESPECIALLY the passwords, to be able to tell when some-
body tried to break in, wether he did it with inside information, or
with password scanning. 
>How careful were you to protect the file against inadvertent read
>access?  How carefully did you protect every backup tape made of
>the filesystem on which it resided?
The file was mode 0 or 600 (can't remember) with owner root. So was
the directory it resided in. Of that filesystem there never were any
backups.
>How did you inspect the file
>yourself without learning people's passwords?  (I don't know
>about you, but I do *not* *want* to know people's passwords.  For
>......
>This issue is discussed here from time to time, and the consensus
>is generally that recording unencrypted passwords, including
>mistyped ones, is a bad idea.
I generally agree. However, on this system everybody knew and agreed
to the procedure (only ~ 20 people). To keep private stuff nearly
everybody had his own machine, for which he alone knew the passwords.
What good are passwords doing you, if you're root anyhow ? Unless people
use their passwords on more than one machine, which is bad anyway. 

	Stefan Loesch
	stefan@mcdphx!motpdq