Re: adduser: what is the difference between --disabled-password and--disabled-login

To: debian-devel@lists.debian.org
Subject: Re: adduser: what is the difference between --disabled-password and--disabled-login
From: Glenn Maynard <glenn@zewt.org>
Date: Sat, 14 May 2005 22:33:28 -0400
Message-id: <[🔎] 20050515023328.GQ20176@zewt.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20050515022251.GC18151@mauritius.dodds.net>
References: <[🔎] 20050509123406.GI27213@rakefet> <[🔎] E1DVAyE-0005Ma-KY@scyw00225> <[🔎] 20050509171427.GA5337@www.lobefin.net> <[🔎] 20050510224033.GL27213@rakefet> <[🔎] E1DWIGx-00013w-9T@scyw00225> <[🔎] sa48y2hffqn.fsf@snoopy.microcomaustralia.com.au> <[🔎] 20050515022251.GC18151@mauritius.dodds.net>

On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > I also think it would be really "cool"(TM) if the system could display
> > a message "password expired" or "account is locked" if the user
> > successfully authenticates to the system but is unable to authorize
> > the user to use the system. This saves the user wondering "did I use
> > the correct password?", "Did I enter it in correctly?", etc.
> 
> This leaks information to attackers about the state of the account.

Hence "could": I don't consider the fact that an account is expired or
locked (or exists, for that matter) to be sensitive information, for
my uses, and would much prefer to give proper error messages.  People
with different security needs/philosophies use different policies ...

(I'd be satisfied if I could convinced logins/su to not force a pointless
delay on an incorrect password--the only thing more annoying than mistyping
my password is having my own system force me to wait.  One of these days I'll
get annoyed enough by this to track down why "FAIL_DELAY 0" isn't being
honored ...)

-- 
Glenn Maynard

Reply to:

Follow-Ups:
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Steve Langasek <vorlon@debian.org>

References:
- adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Stephen Gran <sgran@debian.org>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Shaul Karl <shaulk@013.net>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Brian May <bam@debian.org>
- Re: adduser: what is the difference between --disabled-password and--disabled-login
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: adduser: what is the difference between --disabled-password and--disabled-login
Next by Date: Re: adduser: what is the difference between --disabled-password and--disabled-login
Previous by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Next by thread: Re: adduser: what is the difference between --disabled-password and--disabled-login
Index(es):
- Date
- Thread