Hi all, On Wednesday 02 Nov 2005 10:30, Holger Levsen wrote: > Looked good to me, besides this: > > Three remarks about the 2nd paragraph: (quoted now for easier reference) > > +<para condition="etch"> > +The passwords can also be preseeded as MD5 <emphasis>hashes</emphasis> > +by using the <classname>passwd/root-password-crypted</classname> and > +<classname>passwd/user-password-crypted</classname> variables. Thihs > +method is considered slightly better in terms of security but not > +completely proof as well because physical access to a MD5 </para> hash > +allows for brute force attacks. Some people even consider this method > +can be less secure as it may give a false sense of security. > +</para> Wasn't there a way of preseeding that the password should be locked? (apologies if this was already mentioned, I missed the beginning of the discussion). I thought this was to set the passwd/root-password-crypted as "*" , but this isn't working for me. I had: passwd passwd/root-password-crypted password * Am I doing something wrong here? > 2. s/Some people even consider this method can be less secure as it may > give a false sense of security./Some people consider this method > problematic as it may give a false sense of security./ (imho, with security "problematic" == "less secure") How about: Some people consider this method less secure as it may give a false sense of security. > Maybe its even sensible to write it even shorter: "This method is > considered slightly better in terms of security but it might also give a > false sense of security because physical access to a MD5 hash allows for > brute force attacks." 's OK, but I'm concerned for the user who doesn't know how to evaluate the risk with MD5 sums. Do we (or should we) give recommendations here? Personally, I think we should say use MD5 over plain-text, but how does the user quantify the risk with preseeding the root-password in whatever form its stored? Cheers, Paul.
Attachment:
pgpdlrNrDTrF4.pgp
Description: PGP signature