[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: gdm Create User

From: Steve Grubb <sgrubb redhat com>
To: Lubomir Kundrak <lkundrak redhat com>
Cc: fedora-devel-list redhat com
Subject: Re: gdm Create User
Date: Sun, 7 Oct 2007 11:43:53 -0400

On Sunday 07 October 2007 11:33:45 Lubomir Kundrak wrote:
> > A successful account breach requires 3 things: a machine name, a valid
> > account, and the password. Letting people know that an account is valid
> > cuts the attack down to a dictionary attack.
>
> So what about trying to hide the machine name?

Yes that is a good thing to try, but likely to be exposed. NAT's do some 
degree of protecting this. But this is really not the point of this thread.

> This is plain nonsense. Time that was spent avoiding timing `attacks' was
> wasted. The _password_  is meant to be a key that is to be hidden, not the
> account name. 

No, it is both. This is why face logins are bad in a secure setting.

> If  anything, dictionary attacks can be done against the username-password
> pair also.

Yes that is true. But not having a valid account name doubles the complexity 
and requires you to work even longer.

-Steve

Follow-Ups:
- Re: gdm Create User
  - From: Simo Sorce
- Re: gdm Create User
  - From: Alan Cox
- Re: gdm Create User
  - From: Douglas McClendon

References:
- gdm Create User
  - From: Richi Plana
- Re: gdm Create User
  - From: Steve Grubb
- Re: gdm Create User
  - From: Lubomir Kundrak

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]