On Wed, 3 Nov 2010, Mark Allums wrote:
I know it is the hashes. Everything leaves tracks. It's not the passwords
that might be compromised, it's the privacy. I expect this is an example of
extreme paranoia, but still...
An unrelated example: Incognito mode (AKA, porn mode) of Google Chrome.
Forensic researchers have published articles about how much they found out
about the user even after they used the "secure" mode.
You can't reverse the hash, but a pattern in the history file might tell
someone something you don't want them to know. Granted, you could keep the
If the hash algorithm is worth its salt (pun intended) then there
shouldn't be a pattern in the hashes even if there is in the passwords.
If the file keeps timestamp information in plaintxt that may reveal
information like when the user tends to change their password which may or
may not be useful to an attacker.
I think on balance the risk is low though.
The hash log could be subject to a brute force attack. /etc/shadow is
also subject to a brute force if someone can get root on the box. This is
useful as passwords are often resued across systems, so they could use
this to break into other systems. /etc/shadow would deliver current
rather than old passwords so it is far more valuable too.
Personally I don't think much of keeping a record of old password hashes
but for a different reason: they are easily circumvented by the user
changing their password several times until they can reuse the old one
again. Some organisations have tried to prevent this by limiting how
quickly passwords can be changed - the problem with this approach should
be obvious :)
Cheers,
Rob
--
Email: rob...@timetraveller.org Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/alpine.deb.1.10.1011031131570.16...@castor.opentrend.net
