Marek Michalkiewicz writes ("Re: Shadow Passwords"):
...
> I know some people don't like shadow passwords.
...Well, speaking as one of those `some people', I'd like to point out that things like the recent security hole in login where typing in a long username would cause a buffer overrun don't exactly give me great confidence in the implementation quality. Certainly before this hole is fixed a system with a shadow `login' is/was definitely much more vulnerable than one without shadow passwords at all. Why should we believe that the rest of the code is any better ? If they can't even get something as basic as this right, why should we trust them to write anything at all ?? Ian.
