[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Password leaks are security holes

Hi Nico!

Let's keep debian-security in the discussion to see what others have
to say about this.

Technically I agree with you when you say that people shouldn't enter
anything but their usernames at the login prompt, but the fact is that
people (like me and the bug submitter for example) *do* enter their
passwords there from time to time.  People make mistakes, and this is
not an uncommon one.

Security shouldn't be based on nobody ever doing more or less common mistakes.

  Regards //Johan

---------- Forwarded message ----------
From: Nico Golde <debian-security+ml@ngolde.de>
Date: 2008/8/27
Subject: Re: Password leaks are security holes
To: Johan Walles <johan.walles@gmail.com>
Kopia: 311772@bugs.debian.org, control@bugs.debian.org

Hi Johan,
* Johan Walles <johan.walles@gmail.com> [2008-08-27 22:26]:
> severity 311772 critical
> tag 311772 + security
> thanks
> When users' clear text passwords are logged, that's a security hole.
> Setting severity to critical since this bug "introduces a security
> hole on systems where you install the package".  Quote is from the
> definition of the critical severity at
> http://www.debian.org/Bugs/Developer#severities.

No its not, if you edit your credit card number as a user
name this is also not the applications fault.

"makes unrelated software on the system (or the whole
system) break, or causes serious data loss, or introduces a
security hole on systems where you install the package."
This doesn't say anything about users not being able to use
the software in a proper way.

Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp6Mh6f7vo75.pgp
Description: PGP signature

Reply to: