[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
David Johnson wrote:
psutton<mypassword in plain text for all to see >=c:\windows\psutton<first letter of password.pwl>
Well we all like to bash Microsoft, but what attack are you afraid of? I mean someone with physical access to your PC can pretty well do what they like. Linux is arguably marginally better in some regards as they may have to reboot if you always lock it when you leave it unattended, but I've seen very few PCs adequately protected against a malicious and informed person with local access. Although we use to lock PC access pretty tightly at the UK Meteorological Office with password protection at boot - not BIOS, that is too easy to reset in hardware. Encrypted partitions offer a little protection of data from probing eyes, but nothing stops then dropping a "password" stealer in to get the magic phrase for the next time they have access. Windows 95 sent unencrypted passwords with network requests, worse it would send all the passwords you'd entered since login. Windows 98 encrypted them, but even access to encrypted passwords isn't ideal, if it is possible to run a dictionary attack. Linux and Unix users shouldn't be complacent, even though Unix has always encrypted passwords, Crack shows just how quick and easy a dictionary attack can be. Which is why the passwords are now shadowed. But shadowed encrypted passwords are not the best answer as it means you still have to send the unencrypted password to the server, something that Windows no longer requires! Out of the box few systems are good, but M$ systems can now do some very cool authentication stuff bundled with the OS, and the *nux world really needs to sharpen up their practises. Good (free! as in speech) authentication solutions exists for *nix, but all too often business or vendors assume "this method is good enough" when in fact it offer very little protection against the knowledgable attacker. Or it doesn't integrate nicely. I for one could do with knowing more about PAM.
Well we all know what the solution to that is don't we :-) (Says I using Windows ME!)
:( Why? -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.