Re: "Small" Bug

To: powder keg <iskander14@hotmail.com>
Cc: debian-hurd@lists.debian.org
Subject: Re: "Small" Bug
From: Ivan Jager <ivanjager@bigfoot.com>
Date: Wed, 15 Mar 2000 20:15:54 -0400
Message-id: <[🔎] 38D027BA.A470F080@bigfoot.com>
References: <[🔎] 20000315213221.11266.qmail@hotmail.com>

powder keg wrote:
> Yes, but you gave those to us.  Now, assuming these machines are running
> Hurd (which they're not) if we telnet to your machine and find someone who
> hasn't reset their default passwd...

What is the default password???

> No one is going to use the Hurd if you have some sort of nonsense like an
> open login shell.  It's an IS nightmare and it's clumsy, at best, pure
> stupidity at worst.  The more privileges to the unauthorized user, the more
> he can poke holes at the system.

I agree that it will scare a lot of people. Maybe it would be good to
make it an option if it isn't already.

There are a lot of deaemons that run as nobody. It is so that *when*
somebody finds a problem they can only do things as nobody.

Try running this as nobody in linux: 
while true; do find / & done &

I'm not sure if you can do this on the Hurd, but if you can, it will
probably get fixed soon. ;)

> >To close the case I make the following suggestion: Double the length of the
> >passwords from eight to sixteen. This has the same effect.
> 
> This is the dumbest idea I've heard yet.  If people can't remember 8-letter
> passwords without scrawling it down in an obvious location, what makes you
> think they'll fare any better with 16-letter ones?

I had been using an 18-letter (9 num, 9 alpha) password until I noticed
it was ignoring the last 10. I don't know if Hurd supports MD5
passwords, but if it does you can have very very long passwords. 

I'm not sure how you define "security through obscurity" I would define
it as trying to hide something without really hiding it well. Do you
encrypt the usernames, or are they stored unencrypted? You can hide
something, but the most it will do is discourage somebody.

One way to discourage people if that is what you want would be to keep a
Bible next to each computer and use a verse, or part of one, or a few of
them as a password. That way the user doesn't need to memorise something
long, although he should memorise it if there is someone watching him.
Many people will get discouraged if they see someone type a 50 char
password. :)

-- 
Ivan Jager

Reply to:

References:
- Re: "Small" Bug
  - From: "powder keg" <iskander14@hotmail.com>

Prev by Date: Re: Small Bug
Next by Date: Re: Package questions
Previous by thread: Re: "Small" Bug
Next by thread: Re: "Small" Bug
Index(es):
- Date
- Thread