Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: fmmarzoa () SIRE ES (Francisco M. Marzoa Alonso)
Date: Fri, 16 Apr 1999 10:51:56 +0200
Well, I don't think so... diferent points of view are cool but in this case... Reciently i send a message about "plain text password" on Real Media server for administrator purpouses. The fact is that password was stored in plain text in the system to be administrated, not in a remote one. EMMO this is stupid, we are speaking about a UNiX system, the program could create a new user with his new password well stored on /etc/passwd (or /etc/shadow)... well... i mean in the standard manner, and use the corresponding standar functions in order to do the authentification of the user wich logs here remotlely. Out of this case, as you say if you want to connect to a remote system several times, your local system must have the required password(s) stored in plain text in any place. Well, i've my ~/.fetchmailrc with a pair of passwords of two acounts writed in that way, but in this case fetchmail (at least my version) get you adviced if you put wrong rights on .fetchmailrc wich allow another users to read the content so security is guaranteed through standard security of the system in wich fetchmail is over. Anyway, if security were critical on my system, probably i could be a bit paranoid and could write my password everytime when wants to download mail. To end, you say there's situations in which password should be stored in the system in plain text format ? well... don't known no one (but temporary situations) in wich that must be necesary but, with all, if there's no another way to store it, please, the installation system could be a bit clever and, at least, put correct permissions to the file in wich the password is stored or, at least, at least, at least, when the program runs by first time tell "hey you! that file permissions are wrong!" Ahm! and avoid these stupid crypt algorithms. ;-> Have a good one! Excuse my poor english. I'm in the way of improve it... hehehe... -- Francisco M. Marzoa Alonso http://club.idecnet.com/~fmmarzoa
Current thread:
- Re: Plain text passwords--necessary Francisco M. Marzoa Alonso (Apr 16)
- <Possible follow-ups>
- Re: Plain text passwords--necessary Aleph One (Apr 16)
- Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
- Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
- Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
- Re: Plain text passwords--necessary Taral (Apr 19)
- Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
- Re: bug in ssh allowing to be invissible Pete (Apr 20)
- Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)