On Wed, 4 Jun 2014 00:15:58 +0200 Alexander Huemer <[email protected]> wrote:
> You think so? That's not at all what I personally associate with this > feature. Can you elaborate? Many people don't understand how hashing-functions work. The shadow-file might suggest knowing the hash inherently unveils the password in some magic way. In reality, the incorporation of the shadow-file was motivated to make brute-force-attacks slower and less effective, but they are still possible. Thus, the shadow file locks things up a bit more, brings some more complexity, but this doesn't mean /etc/passwd is insecure. If you use strong passwords, you don't need the shadow-file. If you have a weak password, the shadow-file on the other hand just delays the eventual breach. Looking at it from the programmer's side: Implementing /etc/shadow brings more complexity to the program. Avoiding complexity is one goal to set, thus avoiding /etc/shadow is a good way to simplify things. As Dimitris said before: If you are serious about breaking into a computer, the security brought by login is laughable and easy to circumvent. Cheers FRIGN -- FRIGN <[email protected]>
