DNS and cats: Password leaks are security holes
On 2008-08-28 20:40, Simon Valiquette wrote:
> That's obviously true, but that doesn't cover the case when logs are
> copied to a second system with sysadmins that doesn't have access to the
> first server. And if someone use the standard 514 syslog port instead of
> using an SSL tunnel or the newer syslog-tls on port 601, well you get
> cleartext password on the wire (yes, people sometime make stupid
> mistakes).
I once typed a password accidently in address line of a web
browser, which popped up in the wrong moment. This resulted in a
DNS query for my password. I hereby declare it a security bug,
that the web browser tries to resolve my password! :~)
> Personally, I would prefer never to see password stored in clear text
> anywhere, whatever the file permissions are.
We're talking here about a password that has been typed
accidently for other information. We're not talking about a
regular password store. If the password is good, nobody will
assume a password, but think, that a cat ran over the keyboard.
Reply to: