Mailing List SIMS@mail.stalker.com Message #6348
From: Bill Cole <listbill@scconsult.com>
Subject: Re: pw privacy [was: has anyone seen this before....]
Date: Thu, 29 Jun 2000 15:41:41 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 2:31 PM -0700 6/28/00, Systems  imposed structure on a stream of
electrons, yielding:
>> Gee, I liked that feature. I used it when I had a person insisting that
>> they were typing the right password and couldn't connect. I checked the
>> log, saw that the password WAS right, and finally found that Eudora Lite
>> was doing something screwy.
>
>Yes, I agree, don't change it.  I can think of lots more reasons to have
>them cleartext than not.
>
>Besides if someone can read your logs to glean passwords, you've got a lot
>more serious problems on your hands.

Yup. Even if Stalker didn't show passwords in logs, supporting APOP means
SIMS  must have passwords in a recoverable form. They could be encrypted
in the user files, but anyone with access to the files could still run a
dictionary attack on the files or disassemble SIMS to get the decryption
algorithm.

I think it is better that the passwords get shown in the logs, because it
makes obvious the necessity of maintaining security on the physical box
and on access to the SIMS directory.

--
Bill Cole
MAPS L.L.C. Consulting Services Group
wkc@mail-abuse.org (work)
bill@scconsult.com (personal)
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster