Re: Logging attempted passwords
From: pleriche (pleriche_at_xalt.co.uk)
Date: Mon, 25 Oct 2004 13:21:53 +0100 To: <firstname.lastname@example.org>
True up to a point, that if someone has compromised your logs then your login account isn't safe. But mainly because of privilege escalation threats. It's more than possible that the permissions on your logs might not be quite tight enough, whereupon if someone has hacked *any* unprivileged account (and there's sure to be one with a weak password) he has the possibility of hacking other, possibly more privileged accounts if hints to their passwords can be found in a log. Even if perms on logs are ok, you might still end up with passwords in an editor temporary file in /tmp. The only safe policy is to ensure passwords are *never* stored or displayed in the clear.
If the burglar gets in the front door, you don't just wring your hands and say "OK, here's the keys to my safe", you make sure you put barriers in his way at every point you can.
There is a place for using password crackers (with full, signed permission from management) for checking for weak passwords, but any other reason for logging passwords (short of a full-blown forensic investigation) would need a pretty convincing justification.
>>Suppose your password is 'Open*SSH-3.9' (without the quotes). But
>>> that's pretty hard to type on some keyboards with hyperactive Shift
>>> keys, so maybe you fail by accidentally typing 'OPen*SSH-3.9', and
>>> that gets logged. Now, someone gets hold of your logs (by whatever
>>> means). Do you think your password is "safe" any more?
>No, but even if my password is not logged in some log, I would think
>my password was not safe if I knew that someone had gotten a hold of
>the logs... If the system is compromised, then all bets are off.
>It's that simple. Under such circumstances, you'd better change your
>password, regardless (and re-install the OS from known-clean media,
>and apply all updates before re-connecting it to the network, and)...