[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Password leaks are security holes

Hi Johan,
* Johan Walles <johan.walles@gmail.com> [2008-08-28 11:46]:
> Let's keep debian-security in the discussion to see what others have
> to say about this.
> Technically I agree with you when you say that people shouldn't enter
> anything but their usernames at the login prompt, but the fact is that
> people (like me and the bug submitter for example) *do* enter their
> passwords there from time to time.  People make mistakes, and this is
> not an uncommon one.

Maybe this is the case but that's why this file is only 
readable for root and the adm group. So if an attacker is 
able to read this file you have way more problems as he 
wouldn't need to check the auth log for user errors but 
could just trace the login process, crack shadow, write a 
custom pam module or something similar to get your login 

> Security shouldn't be based on nobody ever doing more or less common mistakes.

See above.

Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpBEEu_88JiE.pgp
Description: PGP signature

Reply to: