On Wed, 16 Aug 2000, Bogdan Zapca wrote:
Much ado about nothin', i think. Roman is right. If an attacker has access to your encrypted password there's nothing to worry about, you've been hacked. I one sets up a good security policy (tcp wrappers, firewall, user acces) there's nothing to worry about cracked passwords. Using something like shadow works just fine. You could even set up a plain text password file instead of crypt, md5, blowfish and others.
Yes, but it's the difference between one host being hacked and an entire network. I don't know about your network of course, but on ours there are A LOT of hosts, some of which are even maintained by users (much to my horror and disgust ;-)). What about a user who decides he want to use Linux and installs a default installation of say RedHat 4.2 (because he had that lying around anyway) and makes his (registered Windows host) multi boot, so suddenly you have a linux machine on your net that is so full of holes you could drive a truck through it. Of course the user uses the same password on it that he uses on all other university systems. No need for inconvenience eh? ;-). Then I would very much prefer that the passwords would be encrypted by an algorithm that takes the hacker (who gained root on the new machine in about 5 minutes) some weeks to crack, because by that time the user's password will have changed again. And believe me, these users do exist (although not for long after we discover what they did ;-)).
Please, do add an "IMHO" at the begining of each sentence.
Stefan