dagmar at dsurreal.org
Fri Feb 9 17:07:07 PST 2001
On Fri, 9 Feb 2001, Marc MERLIN wrote:
> On Fri, Feb 09, 2001 at 04:42:22PM -0800, Dagmar d'Surreal wrote:
> > > > Since you're apparently taking the approach that shadowing is useless,
> > > > please define "crackable".
> > >
> > > Crackable is something _I_ can crack in a few days or a few weeks with
> > > Crack/JDR/whatever.
> > Tried to brute force properly chosen passwords lately?
> I never said I could.
> My point all along is that all the users should properly chosen passwords,
> whether you use shadow passwords or not.
> The reason I underlined "I" is because there are passwords that I couldn't
> crack, but that the NSA probably could.
*chuckle* The NSA doesn't need to crack your passwords. If they want into
your stuff, you and it will simply disappear in the middle of the
night. (Key abduction attack ;) )
> > > You send the hashed password to LDAP server, it says "matches" or "doesn't
> > > match". You never get to see any of the hashed passwords on the LDAP server
> > > (at least that's my understanding)
> > Pretty interesting. Hash goes across the wire in the clear then does it?
> LDAP connections can be made over SSL.
> If they're not, then yes, it's in the clear, which means that if you also
> have a broadcast network (instead of a switched one, like hopefully mostly
> everyone does by now), someone could be sniffing hashes one per one.
Shucks! I was hoping you'd admit to running LDAP in the clear. For those
in the peanut gallery, switched segments don't offer much protection
against someone who has learned their ugly little secrets.
> > > Sure, but one shouldn't be saying "I don't need to run crack or have
> > > cracklib linked to passwd since I have shadow passwords"
> > Did I say that?
> No, hence the use of "one" which was supposed to make it a general
> > > Trimming quotes and signatures would help a bit too.
> Sigh, I guess I'll have to trim them for both you and me then...
I trimmed 'em. ;) I just didn't have anything to say other than my act
of trimming that time.
More information about the svlug