On Tue, Jun 15, 2004 at 11:48:34AM -0500, Kirk Strauser wrote: > At 2004-06-15T13:46:21Z, Matthew Seaman <[EMAIL PROTECTED]> writes: > > > The fact that sysadmins generally don't know users' passwords, and have no > > practical means of finding them out if the user doesn't want them to know > > what it is. > > Install and play with "john". It was enlightening for me.
There was a tacit assumption in what I was saying that users wouldn't choose weak passwords. Now, I know that is completely unrealistic and never happens in practice unless a suitably large stick is weilded to concentrate the lusers' minds. It's the difference between theory and practice. > > Since the sysadmin doesn't know what the users' password is on the systems > > he admins, the user can safely use the same password on other systems with > > different admins. > > For the sake of clarity, is that your belief, or are you explaining what > other peoples' opinions? That's the theoretical ideal, assuming that everybody concerned acts in a reasonable way so as not to leave security holes that you could drive a truck through... In practice, it probably isn't like that. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
Description: PGP signature