[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: A UNIX crypt(3) replacement

To: [email protected] (The Deviant)
Subject: Re: RFC: A UNIX crypt(3) replacement
From: Adam Shostack <[email protected]>
Date: Sun, 17 Nov 1996 12:32:31 -0500 (EST)
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]> from The Deviant at "Nov 17, 96 05:28:09 pm"
Sender: [email protected]

	Unless you're running yp, or if your wu-ftpd leaves a core
with the password entries still in memory, or sendmail can be used to
read any file on the system...

	Belt *and* suspenders, and a lot more simplicity than wu-ftpd
or sendmail offers you.

Adam
The Deviant wrote:
| On Sun, 17 Nov 1996, Adam Shostack wrote:
| > The Deviant wrote:
| > | On Sat, 16 Nov 1996, Joshua E. Hill wrote:
| > | > 	I'm trying to think of a function to replace UNIX's crypt(3).  
| > | > My design criteria are as follows:
| > 
| > | Why? UNIX passwords with password shadowing are as secure as any password
| > | system is going to get.  If your security holes are with passwords, its
| > | because your admin is to lazy to install needed security provissions, not
| > | because the system of checking passwords is bad.
| > 
| > 	A longer salt would make running crack against a large
| > password file slower.
| 
| While thats all well and good, it shouldn't be necisary.  If passwords are
| shadowed, one must have root access before one can run crack against the
| password list, at which time it is innefective.


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:
- Re: RFC: A UNIX crypt(3) replacement
  - From: The Deviant <[email protected]>

Prev by Date: Re: RFC: A UNIX crypt(3) replacement
Next by Date: Strong Encryption for International Versions of Netscape
Prev by thread: Re: RFC: A UNIX crypt(3) replacement
Next by thread: Re: RFC: A UNIX crypt(3) replacement
Index(es):
- Date
- Thread