-----BEGIN PGP SIGNED MESSAGE----- True, but there's something more. If one hacks a machine on the network(that is so unsecure) a sniffer will do, as an unsecure network sure uses telnet instead of ssh and so on. - --- Bogdan Zapca System Administrator SC EcoSoft SA Internet Service Provider 1-7 Deva st, Cluj-Napoca, Romania Tel: +40 64 199696 PGP: http://www.itotal.ro/lupe@admin2.ecosoft.ro.pgp http://www.ecosoft.ro On Wed, 16 Aug 2000, Stefan Suurmeijer wrote:
On Wed, 16 Aug 2000, Bogdan Zapca wrote:
Much ado about nothin', i think. Roman is right. If an attacker has access to your encrypted password there's nothing to worry about, you've been hacked. I one sets up a good security policy (tcp wrappers, firewall, user acces) there's nothing to worry about cracked passwords. Using something like shadow works just fine. You could even set up a plain text password file instead of crypt, md5, blowfish and others.
Yes, but it's the difference between one host being hacked and an entire network. I don't know about your network of course, but on ours there are A LOT of hosts, some of which are even maintained by users (much to my horror and disgust ;-)). What about a user who decides he want to use Linux and installs a default installation of say RedHat 4.2 (because he had that lying around anyway) and makes his (registered Windows host) multi boot, so suddenly you have a linux machine on your net that is so full of holes you could drive a truck through it. Of course the user uses the same password on it that he uses on all other university systems. No need for inconvenience eh? ;-). Then I would very much prefer that the passwords would be encrypted by an algorithm that takes the hacker (who gained root on the new machine in about 5 minutes) some weeks to crack, because by that time the user's password will have changed again. And believe me, these users do exist (although not for long after we discover what they did ;-)).
Please, do add an "IMHO" at the begining of each sentence.
Stefan
-----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOZrRpdPv6ylvTc6pAQFS3wQAj0xZV3RCIg7nW/PzIq1glaoap0qxV3oL GpDvod1XbiLcKn6z09EaBErZYpzAhWu/2JHZ6Wb+Zf8gw5eUUUZFzZOMHiihsPfG 6H8ShO3iDN2RySTQSMUg68iXhh1YKVyUA0Mbygw7ipehv6MLC5EYv2WoHbepr7Wh muOml1p8Nug= =f9xX -----END PGP SIGNATURE-----