> Well, who cares if one of them uses a weak password? WOW!, so, for you, it isn't important if you have a non legitimate user, that can use your machine as base for attacking another machines. And, of course, it isn't important if you have an atacker in your system with all the time of the world to can search vulnerabilities in your system. The first step of any atack is always get some non privileged account and later try to get root privilegies from it.
And when you have a big number of users, it means that the atacker is going to have more of one password of users, so when you detect the intrussion the only thing you can do is change the password of all the users... There is a very good book that shows the problem of users with weak password, "The cuckoo's Egg". It is a novel based in the experience of Clifford Stoll hunting a hacker at the end of 80's, but a lot of things can be applied today (there is also a technical paper, but the novel is really good and less boring ;)). Regards, -- Roberto E. Vargas Caballero
