Re: [cobalt-users] Checking user password

["Steve Werby" <steve-lists@xxxxxxxxxxxx>]

"Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx> wrote:
> No, generally speaking(for all network password systems, not just
cobat/*nix
> systems), they set it so that nobody can get your password for security
> reasons, not even admins or Roots.

Let's just say my version of the facts is different than your version.  ;-)
Storing the password one way encrypted makes it difficult to guess the
password, though if the password is weak cracking it can be done fairly
quickly with brute force.  The fact that it's stored in such a fashion does
improve security, but the only thing it prevents is someone with shell
access to a box with incorrect permissions on /etc/shadow from seeing
passwords in clear text.

> That prevents unauthorized and undetected
> intrusion into your account.

I think you have a false sense of security.  Encrypted passwords by
themselves do nothing to prevent a user's account or files from being
accessed by some with root privileges.

> Admins can change it to a known password to
> gain access when needed, but at that point, the user knows its been
> compromised.

It's trivial for anyone with root access to a box can change another user's
password, then return it to its previous value.  If that user tried to login
when the password was changed they might be suspicious why they couldn't,
but there are many explanations - some of which are even valid.  ;0  More
importantly, anyone with root access can access any files on the server and
unless they're an idiot and do something very stupid an unprivileged user
would never have a clue.

> It basically prevents nosey admins from snooping around in people's
senitive
> stuff undetected.

I'm not saying box admins are malicious or snoopy, but the encrypted
passwords *do not* prevent a box owner from doing anything at all and
certainly play no role in detecting what's been accessed.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/