Date: Wed, 5 Nov 1997 12:46:16 +0100 From: Eivind Eklund <eivind@bitbox.follo.net> To: Terry Lambert <tlambert@primenet.com> Cc: tom@sdf.com, hackers@FreeBSD.ORG Subject: Re: Password verification (Was: cvs commit: ports/x11/kdebase - Imported sources) Message-ID: <19971105124616.58971@bitbox.follo.net> In-Reply-To: <199711042333.QAA24121@usr02.primenet.com>; from Terry Lambert on Tue, Nov 04, 1997 at 11:33:29PM %2B0000 References: <19971103191349.30502@bitbox.follo.net> <199711042333.QAA24121@usr02.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 04, 1997 at 11:33:29PM +0000, Terry Lambert wrote: > > > > Is it restricted to only let a user check his own password? Or could > > > > we make it only check a users own password fairly easily? > > > > > > How would that be useful? > > > > Security. If a user can check other people's passwords, he can > > brute-force passwords. If he can't, he can't. :-) > > /usr/bin/login > rshd > telnetd > rlogind > pop3d > > ....uh, the user can already check other peoples passwords this way. The only one of these that is universal is /usr/bin/login; it still contain a slow-down to make it hard to use for brute-force attacks. And I'd still say that verifying his/her own password is a priviledge that is logical for a user to have; checking other people's passwords isn't (or at least isn't in the same category.) Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971105124616.58971>