Hi, I've been lurking on this mailing list for a while (though I still havn't managed to use the Hurd, waiting for PPP) and I thought I'd chime in to this thread.
On Wed, Mar 15, 2000 at 09:52:48PM +0100, Marcus Brinkmann wrote: > > Currently, such a user could simply walk up to a > > login> prompt on a hurd box and get the same information that any valid > > user on the hurd box could get. > > So what? > So the more information a potential attacker has, the less work he has to do to break into the system and do damage. > How do you compromise a box with a username but no password? I challenge > you: > The same way you compromise a box with a password but no username. You don't. The username by itself is useless, but so is a password by itself and obviously you don't go around arguing that the password shouldn't be hidden when it's typed in (or at least I hope you don't.) Knowing the username alone doesn't do anything _by itself_, but it does help a potential attacker attack. > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > Those are four user names on wholly different systems. > I could go make 4 passwords right now, on 4 different systems with 4 different accounts (actually I couldn't, I only have one machine) and give you the passwords but it wouldn't help if you didn't know what machines they were or the usernames for them. If I gave you the addresses of all 4 boxes it would become easier, and if I gave you the addresses and a login> shell it would be easier yet, and if I just flat out told you what username went with what password on what machine it would be easiest still. The point is that usernames may not be useful by themselves, but they are a needed piece of information by an attacker to break into the system. The less information that he has the longer it'll take him to break in and telling him "Invalid username" just makes it easier for him to find one piece of the information he needs, and you gain nothing from it. The user can see that the username is typed wrong just by looking at the screen if they got a "Invalid username/password pair" error. The attacker couldn't. So by changing the error message you help the attacker and gain nothing for the user. > Here is one for you: "root". Probably 90% of all machines have it. Most systems don't allow you to telnet in as root. The username is only useful if the attacker has physical access to the machine, which is a problem with the physical security, not the machine's. > It's one of the VERY LAST things I would care about. It's a completely false > sense of security. > It's not a sense of security, it's a little piece of security that makes it slightly more secure. > To put the main argument in a single sentence: "What do you think is the > password mechanism worth when knowing the username is likely to insecure the > box?" > Knowing the username won't "insecure the box". It will just make it slightly _less_ secure. > Usernames are there to seperate several users, like PID's seperate > processes. They don't even appear in the security model, so to speak of. > (As opposed to key ids in public key cryptography, where authentification is > important). > But if an attacker knows a PID of a process it probably won't help him break into your box. -- Reject ([EMAIL PROTECTED]) "Children who aren't trusted become adults who can't be trusted" --Anonymous
