Or given a list of valid usernames on one system, forge
email to that user's associates elsewhere. Or spam in
his name, etc...
On Fri, Sep 10, 1999 at 02:24:29PM -0400, Dave Sill wrote:
> Sam <[EMAIL PROTECTED]> wrote:
>
> >[EMAIL PROTECTED] writes:
> >
> >> Anyhow, I realize that giving information "up front" on working
> >> usernames on the system is probably at least a small security risk,
> >> so I'd rather not do that,
> >
> >I've yet to see anyone make a cogent argument for this, instead of
> >accepting it as a given.
>
> It's pretty obvious. Given two systems, one that advertises users and
> one that doesn't, and an infinite supply of kiddie krackers doing
> brute-force searches for accounts with easy-to-guess passwords, the
> system that advertises usernames will be broken into first, on
> average, because the crackers will waste less time trying to break
> into nonexistent accounts.
>
> -Dave
--
Christopher F. Miller, Publisher [EMAIL PROTECTED]
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Database publishing, e-commerce, office/internet integration, Debian linux.
