Re: [dev] [PATCH] [ubase] Simplify login

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Markus Wichmann <nullplan_AT_gmx.net>
Date: Tue, 3 Jun 2014 21:16:01 +0200

On Mon, Jun 02, 2014 at 06:41:45PM +0200, FRIGN wrote:
> Well, I prefer /etc/passwd, given it gives a false feeling of security
> using the shadow-file.
> In reality, it's a solution for a very unimportant issue.
> If your password is strong, having the hashes won't help any attacker.
> On the other hand, having a weak password, the shadow-file doesn't save
> you from a breach.
>

Well, it won't save you, but delay it significantly! Testing a password
with login takes 5 seconds, testing a password with the hash at hand
takes less than a microsecond.

But I concur this issue is pretty unimportant. Most security breaches
these days occur due to faulty software allowing arbitrary code
execution from network input. Or some fault/feature in the operating
system allowing circumvention of the login prompt. (If you give me
physical access to a Linux box, I'll get access to it.) So knowing a
password isn't necessary any more.

> Cheers
>
> FRIGN
>

Ciao,
Markus
Received on Tue Jun 03 2014 - 21:16:01 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 03 2014 - 21:24:06 CEST