spencer at lasermount.uklinux.net
Thu Feb 19 00:04:14 PST 2004
On Wed, 18 Feb 2004 09:22:02 -0500, Harley J Pig wrote:
> I know I'm a complete unknown, but why not do the following:
> If it's a successful login, don't log the password;
> otherwise log the attempted login name and password.
But if you do this you have the potential to reduce the search space that
needs to be checked for valid passwords considerably.
Say, for example, that user 'wibble' has the password 'FX123oK', but one
day they don't notice that CAPS LOCK is on and enter 'fx123Ok', you would
have this sitting there in the log file for anyone to read, and it would
be trivial to generate all the possible capitalizations, either to try
them at the login prompt, or else generate all the encrypted values and
see which one matches.
And it's no good storing the encrypted value of the entered password,
because it should be impossible (with any good password-encryption scheme)
to get from the encrypted password back to the plaintext - otherwise,
there'd be no point storing the passwords encrypted in the first place.
<<< Eagles may soar, but weasels don't get sucked into jet engines >>>
7:53am up 69 days 14:25, 19 users, load average: 0.01, 0.13, 0.54
Registered Linux User #232457 | LFS ID 11703
More information about the hlfs-dev