Re: [dev] [PATCH] [ubase] Simplify login
On Mon, Jun 02, 2014 at 06:41:45PM +0200, FRIGN wrote:
> Well, I prefer /etc/passwd, given it gives a false feeling of security
> using the shadow-file.
> In reality, it's a solution for a very unimportant issue.
> If your password is strong, having the hashes won't help any attacker.
> On the other hand, having a weak password, the shadow-file doesn't save
> you from a breach.
>
Well, it won't save you, but delay it significantly! Testing a password
with login takes 5 seconds, testing a password with the hash at hand
takes less than a microsecond.
But I concur this issue is pretty unimportant. Most security breaches
these days occur due to faulty software allowing arbitrary code
execution from network input. Or some fault/feature in the operating
system allowing circumvention of the login prompt. (If you give me
physical access to a Linux box, I'll get access to it.) So knowing a
password isn't necessary any more.
> Cheers
>
> FRIGN
>
Ciao,
Markus
Received on Tue Jun 03 2014 - 21:16:01 CEST
This archive was generated by hypermail 2.3.0
: Tue Jun 03 2014 - 21:24:06 CEST