[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow Passwords

Marek Michalkiewicz writes ("Re: Shadow Passwords"):
> I know some people don't like shadow passwords.

Well, speaking as one of those `some people', I'd like to point out
that things like the recent security hole in login where typing in a
long username would cause a buffer overrun don't exactly give me great
confidence in the implementation quality.

Certainly before this hole is fixed a system with a shadow `login'
is/was definitely much more vulnerable than one without shadow
passwords at all.

Why should we believe that the rest of the code is any better ?  If
they can't even get something as basic as this right, why should we
trust them to write anything at all ??


Reply to: