On Mon, Jun 02, 2014 at 06:41:45PM +0200, FRIGN wrote: > Well, I prefer /etc/passwd, given it gives a false feeling of security > using the shadow-file. > In reality, it's a solution for a very unimportant issue. > If your password is strong, having the hashes won't help any attacker. > On the other hand, having a weak password, the shadow-file doesn't save > you from a breach. >
Well, it won't save you, but delay it significantly! Testing a password with login takes 5 seconds, testing a password with the hash at hand takes less than a microsecond. But I concur this issue is pretty unimportant. Most security breaches these days occur due to faulty software allowing arbitrary code execution from network input. Or some fault/feature in the operating system allowing circumvention of the login prompt. (If you give me physical access to a Linux box, I'll get access to it.) So knowing a password isn't necessary any more. > Cheers > > FRIGN > Ciao, Markus
