[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: gdm Create User



On Sunday 07 October 2007 11:33:45 Lubomir Kundrak wrote:
> > A successful account breach requires 3 things: a machine name, a valid
> > account, and the password. Letting people know that an account is valid
> > cuts the attack down to a dictionary attack.
>
> So what about trying to hide the machine name?

Yes that is a good thing to try, but likely to be exposed. NAT's do some 
degree of protecting this. But this is really not the point of this thread.

> This is plain nonsense. Time that was spent avoiding timing `attacks' was
> wasted. The _password_  is meant to be a key that is to be hidden, not the
> account name. 

No, it is both. This is why face logins are bad in a secure setting.

> If  anything, dictionary attacks can be done against the username-password
> pair also.

Yes that is true. But not having a valid account name doubles the complexity 
and requires you to work even longer.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]