[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Password leaks are security holes

Nico Golde un jour écrivit:
Hi Johan,
* Johan Walles <johan.walles@gmail.com> [2008-08-28 13:14]:
2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:
So auth.log should log usernames, so that users don't do
wrong assumption that password are not accessible by root!
I can see a point in logging *valid* usernames.  Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.

How would you determine valid and invalid ones? A user name that is considered valid could still be a password.

If that is the case, then It is most likely a very bad password that someone could guess anyway, so that is a non-issue (except for the fact that the password should obviously be changed for a better one).

Simon Valiquette

Reply to: