Re: Password leaks are security holes
Eduardo M KALINOWSKI un jour écrivit:
Simon Valiquette wrote:
Personally, I would prefer never to see password stored in clear text
anywhere, whatever the file permissions are. And If I really want to
still see them, I certainly won't complain if all I have to do is make a
small change to the default configuration file, telling the system that I
know what I am doing.
No password is stored in this case. User names (or whatever the user
input as "user name") are. If the user types some other random thing
instead of an user name, that doesn't make it a password, even if the
random garbage happens to be a password.
Pedantically, that's true. But a smart human will have no difficulties
to guess that It is probably a password and guess the associated account name.
And even if in this case the
password gets stored (not as such, but as a mistakenly typed user name),
it is by default hidden from view, unless the system administrator does
something different, such as your syslog-over-network example.
I already explained in a previous post how even if the logs are kept
only on a single host and even if the logs are only root readable, that It
can still helps compromising other systems.
Anyway, I saw that the maintainer recognized It as a problem and marked
the bug as confirmed, so I won't argue any more about It as I don't think
I have anything useful to add.