From: The Deviant <deviant@pooh-corner.com>
To: Dave Kinchlea <security@kinch.ark.com>
Message Hash: b2d1fff2588a63b4cd40d90af2976c94a88acb4e41838400c6f95338cb3a8865
Message ID: <Pine.LNX.3.94.961117222029.564A-100000@random.sp.org>
Reply To: <Pine.LNX.3.95.961117141640.1181M-100000@kinch.ark.com>
UTC Datetime: 1996-11-17 22:23:35 UTC
Raw Date: Sun, 17 Nov 1996 14:23:35 -0800 (PST)
From: The Deviant <deviant@pooh-corner.com>
Date: Sun, 17 Nov 1996 14:23:35 -0800 (PST)
To: Dave Kinchlea <security@kinch.ark.com>
Subject: Re: RFC: A UNIX crypt(3) replacement
In-Reply-To: <Pine.LNX.3.95.961117141640.1181M-100000@kinch.ark.com>
Message-ID: <Pine.LNX.3.94.961117222029.564A-100000@random.sp.org>
MIME-Version: 1.0
Content-Type: text/plain
On Sun, 17 Nov 1996, Dave Kinchlea wrote:
> On Sun, 17 Nov 1996, The Deviant wrote:
> >
> > Oh.. you misunderstand what I'm saying... I'm not saying its unemportant
> > for you to have good passwords or anything like that, I'm just pointing
> > out that rather than replace the entire system, its more prudent to fully
> > install it.
> >
> > I still think admins should run crack against their own lists, etc., but
> > that still shouldn't be a problem to a good cracker. If you've just
> > gotten root on a system, you start backdooring everything, not trying to
> > crack the password list.
>
> Well, this certainly *IS* a different statement than I read from you
> before. I don't find anything to disagree with here. Though, if your
> passwords can't be cracked, what is the need for shadow passwords? It
> simply introduces more variables and offers no more security.
While thats all well and good, its also easier said than done. A creative
cracker can beat a lot of password filter routines. As somebody said to
me earlier, belt _and_ suspenders works best. ;)
--Deviant
Blood flows down one leg and up the other.
Return to November 1996
Return to “The Deviant <deviant@pooh-corner.com>”