[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Checking user password
- Subject: Re: [cobalt-users] Checking user password
- From: "Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx>
- Date: Wed Dec 5 20:46:00 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
You missed my point. Yes, with cracking tools, its possible. I am talking
about the casual meanderings of your typical bored, nosey, lazy admin, and
using encrypted passwords.
My point in all this is the systems are designed so admins cant just
casually look up a PW in a plain text file and start snooping. they gotta
WANT to get in and look (and work a little at it). Also, bear in mind I
include such environments as Novell and M$ in my scenarios.
As for changing the password and then replacing it to be undetected, once
again that assumes they took the time to crack it.
As a buddy of mine says... "Locks are only here to keep honest people
honest, not to keep bad people out"
----- Original Message -----
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, December 05, 2001 11:12 PM
Subject: Re: [cobalt-users] Checking user password
> "Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx> wrote:
> > No, generally speaking(for all network password systems, not just
> cobat/*nix
> > systems), they set it so that nobody can get your password for security
> > reasons, not even admins or Roots.
>
> Let's just say my version of the facts is different than your version.
;-)
> Storing the password one way encrypted makes it difficult to guess the
> password, though if the password is weak cracking it can be done fairly
> quickly with brute force. The fact that it's stored in such a fashion
does
> improve security, but the only thing it prevents is someone with shell
> access to a box with incorrect permissions on /etc/shadow from seeing
> passwords in clear text.
>
> > That prevents unauthorized and undetected
> > intrusion into your account.
>
> I think you have a false sense of security. Encrypted passwords by
> themselves do nothing to prevent a user's account or files from being
> accessed by some with root privileges.
>
> > Admins can change it to a known password to
> > gain access when needed, but at that point, the user knows its been
> > compromised.
>
> It's trivial for anyone with root access to a box can change another
user's
> password, then return it to its previous value. If that user tried to
login
> when the password was changed they might be suspicious why they couldn't,
> but there are many explanations - some of which are even valid. ;0 More
> importantly, anyone with root access can access any files on the server
and
> unless they're an idiot and do something very stupid an unprivileged user
> would never have a clue.
>
> > It basically prevents nosey admins from snooping around in people's
> senitive
> > stuff undetected.
>
> I'm not saying box admins are malicious or snoopy, but the encrypted
> passwords *do not* prevent a box owner from doing anything at all and
> certainly play no role in detecting what's been accessed.
>
> --
> Steve Werby
> President, Befriend Internet Services LLC
> http://www.befriend.com/
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>