[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password leaks are security holes

Eduardo M KALINOWSKI un jour écrivit:
Simon Valiquette wrote:
Personally, I would prefer never to see password stored in clear text anywhere, whatever the file permissions are. And If I really want to still see them, I certainly won't complain if all I have to do is make a small change to the default configuration file, telling the system that I know what I am doing.

No password is stored in this case. User names (or whatever the user
input as "user name") are. If the user types some other random thing
instead of an user name, that doesn't make it a password, even if the
random garbage happens to be a password.

Pedantically, that's true. But a smart human will have no difficulties to guess that It is probably a password and guess the associated account name.

And even if in this case the
password gets stored (not as such, but as a mistakenly typed user name),
it is by default hidden from view, unless the system administrator does
something different, such as your syslog-over-network example.

I already explained in a previous post how even if the logs are kept only on a single host and even if the logs are only root readable, that It can still helps compromising other systems.

Anyway, I saw that the maintainer recognized It as a problem and marked the bug as confirmed, so I won't argue any more about It as I don't think I have anything useful to add.

Simon Valiquette

Reply to: