Bugtraq mailing list archives

Re: Plain text passwords--necessary

From: fmmarzoa () SIRE ES (Francisco M. Marzoa Alonso)
Date: Fri, 16 Apr 1999 10:51:56 +0200


Well, I don't think so... diferent points of view are cool but in this
case... Reciently i send a message about "plain text password" on Real
Media server for administrator purpouses. The fact is that password was
stored in plain text in the system to be administrated, not in a remote
one. EMMO this is stupid, we are speaking about a UNiX system, the program
could create a new user with his new password well stored on /etc/passwd
(or /etc/shadow)... well... i mean in the standard manner, and use the
corresponding standar functions in order to do the authentification of the
user wich logs here remotlely.

Out of this case, as you say if you want to connect to a remote system
several times, your local system must have the required password(s) stored
in plain text in any place. Well, i've my ~/.fetchmailrc with a pair of
passwords of two acounts writed in that way, but in this case fetchmail
(at least my version) get you adviced if you put wrong rights on
.fetchmailrc wich allow another users to read the content so security is
guaranteed through standard security of the system in wich fetchmail is
over. Anyway, if security were critical on my system, probably i could be
a bit paranoid and could write my password everytime when wants to
download mail.

To end, you say there's situations in which password should be
stored in the system in plain text format ? well... don't known no one
(but temporary situations) in wich that must be necesary but, with all, if
there's no another way to store it, please, the installation system could
be a bit clever and, at least, put correct permissions to the file in wich
the password is stored or, at least, at least, at least, when the program
runs by first time tell "hey you! that file permissions are wrong!"

Ahm! and avoid these stupid crypt algorithms. ;->

Have a good one!

Excuse my poor english. I'm in the way of improve it... hehehe...

--
Francisco M. Marzoa Alonso
http://club.idecnet.com/~fmmarzoa

Current thread:

Re: Plain text passwords--necessary Francisco M. Marzoa Alonso (Apr 16)
- <Possible follow-ups>
- Re: Plain text passwords--necessary Aleph One (Apr 16)
  - Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
    - Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
    - Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
    - Re: Plain text passwords--necessary Taral (Apr 19)
  - Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
    - bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
    - Re: bug in ssh allowing to be invissible Pete (Apr 20)
    - Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
    - NetBSD Security Advisory 1999-009 matthew green (Apr 20)

(Thread continues...)