On Wed, 4 Jun 2014 00:15:58 +0200
Alexander Huemer <alexander.huemer_AT_xx.vu> wrote:
> You think so? That's not at all what I personally associate with this
> feature. Can you elaborate?
Many people don't understand how hashing-functions work. The
shadow-file might suggest knowing the hash inherently unveils the
password in some magic way.
In reality, the incorporation of the shadow-file was motivated to make
brute-force-attacks slower and less effective, but they are still
possible.
Thus, the shadow file locks things up a bit more, brings some more
complexity, but this doesn't mean /etc/passwd is insecure.
If you use strong passwords, you don't need the shadow-file. If you
have a weak password, the shadow-file on the other hand just delays the
eventual breach.
Looking at it from the programmer's side: Implementing /etc/shadow
brings more complexity to the program. Avoiding complexity is one goal
to set, thus avoiding /etc/shadow is a good way to simplify things.
As Dimitris said before: If you are serious about breaking into a
computer, the security brought by login is laughable and easy to
circumvent.
Cheers
FRIGN
--
FRIGN <dev_AT_frign.de>
Received on Wed Jun 04 2014 - 12:44:01 CEST