Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
Re: [suse-security] crypt()
- From: Stefan Suurmeijer <stefan@xxxxxxxxxxxx>
- Date: Wed, 16 Aug 2000 16:27:43 +0200 (CEST)
- Message-id: <Pine.LNX.4.21.0008161615530.6293-100000@xxxxxxxxxxxxxxxxxxxx>
On Wed, 16 Aug 2000, Bogdan Zapca wrote:
>
> Much ado about nothin', i think.
> Roman is right. If an attacker has access to your encrypted password
> there's nothing to worry about, you've been hacked.
> I one sets up a good security policy (tcp wrappers, firewall, user
> acces) there's nothing to worry about cracked passwords. Using something
> like shadow works just fine. You could even set up a plain text password
> file instead of crypt, md5, blowfish and others.
>
Yes, but it's the difference between one host being hacked and an entire
network. I don't know about your network of course, but on ours there are
A LOT of hosts, some of which are even maintained by users (much to my
horror and disgust ;-)). What about a user who decides he want to use
Linux and installs a default installation of say RedHat 4.2 (because he
had that lying around anyway) and makes his (registered Windows
host) multi boot, so suddenly you have a linux machine on your net that is
so full of holes you could drive a truck through it. Of course the user
uses the same password on it that he uses on all other university
systems. No need for inconvenience eh? ;-). Then I would very much prefer
that the passwords would be encrypted by an algorithm that takes the
hacker (who gained root on the new machine in about 5 minutes) some weeks
to crack, because by that time the user's password will have changed
again.
And believe me, these users do exist (although not for long after we
discover what they did ;-)).
> Please, do add an "IMHO" at the begining of each sentence.
>
Stefan
>
> Much ado about nothin', i think.
> Roman is right. If an attacker has access to your encrypted password
> there's nothing to worry about, you've been hacked.
> I one sets up a good security policy (tcp wrappers, firewall, user
> acces) there's nothing to worry about cracked passwords. Using something
> like shadow works just fine. You could even set up a plain text password
> file instead of crypt, md5, blowfish and others.
>
Yes, but it's the difference between one host being hacked and an entire
network. I don't know about your network of course, but on ours there are
A LOT of hosts, some of which are even maintained by users (much to my
horror and disgust ;-)). What about a user who decides he want to use
Linux and installs a default installation of say RedHat 4.2 (because he
had that lying around anyway) and makes his (registered Windows
host) multi boot, so suddenly you have a linux machine on your net that is
so full of holes you could drive a truck through it. Of course the user
uses the same password on it that he uses on all other university
systems. No need for inconvenience eh? ;-). Then I would very much prefer
that the passwords would be encrypted by an algorithm that takes the
hacker (who gained root on the new machine in about 5 minutes) some weeks
to crack, because by that time the user's password will have changed
again.
And believe me, these users do exist (although not for long after we
discover what they did ;-)).
> Please, do add an "IMHO" at the begining of each sentence.
>
Stefan
| < Previous | Next > |