Re: Shadow Passwords

To: debian-user@Pixar.com
Subject: Re: Shadow Passwords
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
Date: Sun, 4 Feb 96 13:44 GMT
Message-id: <[🔎] m0tj4kO-0002bjC@chiark.chu.cam.ac.uk>
In-reply-to: <199601312025.VAA02091@i17linuxb.ists.pwr.wroc.pl>
References: <m0thfsj-00014ZC@miles.econ.queensu.ca> <199601312025.VAA02091@i17linuxb.ists.pwr.wroc.pl>

Marek Michalkiewicz writes ("Re: Shadow Passwords"):
...
> I know some people don't like shadow passwords.
...

Well, speaking as one of those `some people', I'd like to point out
that things like the recent security hole in login where typing in a
long username would cause a buffer overrun don't exactly give me great
confidence in the implementation quality.

Certainly before this hole is fixed a system with a shadow `login'
is/was definitely much more vulnerable than one without shadow
passwords at all.

Why should we believe that the rest of the code is any better ?  If
they can't even get something as basic as this right, why should we
trust them to write anything at all ??

Ian.

Reply to:

Follow-Ups:
- Re: Shadow Passwords
  - From: jhenders@wimsey.com (John Henders)
- Re: Shadow Passwords
  - From: Lars Wirzenius <liw@iki.fi>
- Re: Shadow Passwords
  - From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>

Prev by Date: how to change the kernel in the boot disk?
Next by Date: Re: xbase installation problem
Previous by thread: Re: Shadow Passwords
Next by thread: Re: Shadow Passwords
Index(es):
- Date
- Thread