Re: Password leaks are security holes

To: debian-security@lists.debian.org
Subject: Re: Password leaks are security holes
From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
Date: Fri, 29 Aug 2008 08:22:28 -0300
Message-id: <[🔎] 48B7DBF4.2020209@kalinowski.com.br>
In-reply-to: <[🔎] 48B74575.9050909@ieee.org>
References: <[🔎] 9b0752e70808271228j33d116b6m8c5d19af201ee591@mail.gmail.com> <20080827203237.GB4739@ngolde.de> <[🔎] 9b0752e70808280003y3d40d0bjabd62e6a75c3071c@mail.gmail.com> <[🔎] 48B65589.5080308@debian.org> <[🔎] 9b0752e70808280405m2aafc310r883526c6ee65e21c@mail.gmail.com> <[🔎] 20080828113820.GA10008@johndoe666.info> <[🔎] 48B74575.9050909@ieee.org>

Simon Valiquette wrote:
>    Personally, I would prefer never to see password stored in clear text 
> anywhere, whatever the file permissions are.  And If I really want to 
> still see them, I certainly won't complain if all I have to do is make a 
> small change to the default configuration file, telling the system that I 
> know what I am doing.
>   

No password is stored in this case. User names (or whatever the user
input as "user name") are. If the user types some other random thing
instead of an user name, that doesn't make it a password, even if the
random garbage happens to be a password. And even if in this case the
password gets stored (not as such, but as a mistakenly typed user name),
it is by default hidden from view, unless the system administrator does
something different, such as your syslog-over-network example.

-- 
Do not dry clean.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb

Reply to:

Follow-Ups:
- Re: Password leaks are security holes
  - From: Simon Valiquette <v.simon@ieee.org>

References:
- Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Re: Fwd: Password leaks are security holes
  - From: "Giacomo A. Catenazzi" <cate@debian.org>
- Re: Fwd: Password leaks are security holes
  - From: "Johan Walles" <johan.walles@gmail.com>
- Re: Fwd: Password leaks are security holes
  - From: "A. Dreyer" <ml10038@adreyer.com>
- Re: Password leaks are security holes
  - From: Simon Valiquette <v.simon@ieee.org>

Prev by Date: Re: [Yaird-devel] Bug#496500: yaird: fails to create initrd when running 2.6.24 etchnhalf kernel
Next by Date: Re: Please add Debian Security Advisory info for CVE-2008-2812
Previous by thread: Re: DNS and cats: Password leaks are security holes
Next by thread: Re: Password leaks are security holes
Index(es):
- Date
- Thread