On Tue, Jun 15, 2004 at 11:48:34AM -0500, Kirk Strauser wrote:
> At 2004-06-15T13:46:21Z, Matthew Seaman <[EMAIL PROTECTED]> writes:
> 
> > The fact that sysadmins generally don't know users' passwords, and have no
> > practical means of finding them out if the user doesn't want them to know
> > what it is.
> 
> Install and play with "john".  It was enlightening for me.

There was a tacit assumption in what I was saying that users wouldn't
choose weak passwords.  Now, I know that is completely unrealistic and
never happens in practice unless a suitably large stick is weilded to
concentrate the lusers' minds. It's the difference between theory and
practice.
 
> > Since the sysadmin doesn't know what the users' password is on the systems
> > he admins, the user can safely use the same password on other systems with
> > different admins.
> 
> For the sake of clarity, is that your belief, or are you explaining what
> other peoples' opinions?

That's the theoretical ideal, assuming that everybody concerned acts
in a reasonable way so as not to leave security holes that you could
drive a truck through...  In practice, it probably isn't like that.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

Attachment: pgpxEZrNM4kUp.pgp
Description: PGP signature

Reply via email to