Re: [cobalt-users] Checking user password

[flash22@xxxxxxx]

On Wed, 5 Dec 2001, Roy A. Urick wrote:

> You missed my point. Yes, with cracking tools, its possible. I am talking
> about the casual meanderings of your typical bored, nosey, lazy admin, and
> using encrypted passwords.

I don't think Steve did miss the point. The lazy admin just becomes
privlaged, and looks at whatever he wants to anyhow, he / she doesn't
even need thee passwords..

> 
> My point in all this is the systems are designed so admins cant just
> casually look up a PW in a plain text file and start snooping. they gotta

They don't HAVE to, they can just remove and replace it, 2 seconds in any
editor...But they don't need it anyway

> WANT to get in and look (and work a little at it). Also, bear in mind I
> include such environments as Novell and M$ in my scenarios.

Which is funny cause neither novel nor windows untill recent versions
bothered encrypting passwords ;0

What the encryption does do is prevent other users from seeing the
passwords, because until shadow was invented, anyone could read the
password file, something that was nevessary for plain users to be
able to get access to it to get unrelated info...(you need to keep in mind
that at one time one-way-hash was thought to be impractical to break, back
when computers ran at 20mhz)

> As for changing the password and then replacing it to be undetected, once
> again that assumes they took the time to crack it.

Don't have to crack it to replace   it, just cut/paste it -/
If you have enough access to set it, you have enough access to replace it
entirely..

> As a buddy of mine says... "Locks are only here to keep honest people
> honest, not to keep bad people out"

If you need a lock, the guy ain't honest ;0

-or-

Trust is what someone does when you AREN'T looking...

> 
> ----- Original Message -----
> From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
[clipped]

gsh