gdm Create User
Steve Grubb
sgrubb at redhat.com
Sun Oct 7 15:43:53 UTC 2007
On Sunday 07 October 2007 11:33:45 Lubomir Kundrak wrote:
> > A successful account breach requires 3 things: a machine name, a valid
> > account, and the password. Letting people know that an account is valid
> > cuts the attack down to a dictionary attack.
>
> So what about trying to hide the machine name?
Yes that is a good thing to try, but likely to be exposed. NAT's do some
degree of protecting this. But this is really not the point of this thread.
> This is plain nonsense. Time that was spent avoiding timing `attacks' was
> wasted. The _password_ is meant to be a key that is to be hidden, not the
> account name.
No, it is both. This is why face logins are bad in a secure setting.
> If anything, dictionary attacks can be done against the username-password
> pair also.
Yes that is true. But not having a valid account name doubles the complexity
and requires you to work even longer.
-Steve
More information about the fedora-devel-list
mailing list