[svlug] crack

[Dagmar d'Surreal]

On Wed, 7 Feb 2001, Rick Moen wrote:

> begin Marc MERLIN quotation:
> 
> > John does not split the password file and ship it to 20 different machines
> > for processing by common salts (at least not last time I checked)
> 
> Quite.  For that, you'll want one of mio-star, saltine-cracker, or
> slurpie -- likewise mentioned in my article (cited previously).  Which
> nobody seems to be bothering to check before posting, I notice.  Ah well.
>  
> > Daemons that crash can have a copy of the shadow file in their core file,
> > but that's only an example.
> 
> If that is permitted, and the core file is readable by anyone but root,
> then that is a major design bug, and I assume it would be of great
> interest to Bugtraq.  Can you cite any actual instances of this?

I used to snap up shadow files all the time this way, man.  Especially on
HPUX systems.  Wu-ftp was also quite fond of core-dumping and leaving the
core file lying around in a place you specify.  Stuff like this is why the
majority of systems have core files truncated to 0 bytes by default now.
Bugtraq not only knows about this, they'd consider it a very dead issue
for that reason.
 
> > shadow is only security by obscurity, nothing more...
> 
> You have my interest:  Please cite a real-world example.
> 
> > If you had the chance to setup a valid password validator before the users
> > showed up, you're fine, but in real life, you often have to check existing
> > passwords.
> 
> Thus cracklib.
> 
> -- 
> Cheers,                                Before enlightenment, caffeine.
> Rick Moen                              After enlightenment, caffeine.
> rick at linuxmafia.com
> 
> 
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/mailman/listinfo/svlug
>