How do you compromise a box with a username but no password? I challenge you:brinkmds@mailhost.ruhr-uni-bochum.de brinkmd@master.debian.org brinkmd@va.debian.org finnegan@users.sourceforge.net marcus@gnu.org Those are four user names on wholly different systems.
How retarded.Yes, but you gave those to us. Now, assuming these machines are running Hurd (which they're not) if we telnet to your machine and find someone who hasn't reset their default passwd...
This is a lot different than sitting at a terminal with no mailing list, no computer, etc. and wondering, "hmm, where should I start?"
No one is going to use the Hurd if you have some sort of nonsense like an open login shell. It's an IS nightmare and it's clumsy, at best, pure stupidity at worst. The more privileges to the unauthorized user, the more he can poke holes at the system.
Why don't we make the passwords visible as well? It's just tooooo difficult these days to retype a password again and, more than likely, most people don't have people looking over their shoulders anyway.
Just because you want to break the rules of common sense to make a statement about your "it'll never happen" mentality doesn't mean we need to suffer with the possibility of compromising our systems.
Here is one for you: "root". Probably 90% of all machines have it.
Yeah, but the root account doesn't usually have a simple password like the average user has (birthday, mother's maiden name, etc). The root password isn't going to be posted on a monitor with a post-it note.
To close the case I make the following suggestion: Double the length of the passwords from eight to sixteen. This has the same effect.
This is the dumbest idea I've heard yet. If people can't remember 8-letter passwords without scrawling it down in an obvious location, what makes you think they'll fare any better with 16-letter ones?
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com