Recent Features
| ||||||||||||||||||||||||||
busybox: insecure password generation
(Log in to post comments)
busybox: insecure password generation Posted May 11, 2006 22:32 UTC (Thu) by landley (guest, #6789) [Link] This is not a "new vulnerability". Salting passwords is something busyboxnever did (in its entire history) until now. Probably because the whole point of the /etc/shadow file is to be readable only by root, so attackers have to crack root in order to grab a copy of the file in the first place. Salt's been added to svn and will be in the 1.1.3 release, but it's questionable how worked up about it to get. If somebody's grabbed a copy of your shadow file, salt just slows them down. (And not that much; a modern laptop can grind through a 6 character md5 password, randomly distributed among 100 or so typable chacters, in about a day.)
busybox: insecure password generation Posted May 3, 2007 7:02 UTC (Thu) by nix (subscriber, #2304) [Link] I suppose it's useful if you're using something like NIS where your entirepassword file is visible to the world.
(Mind you if you're using NIS you probably don't care much about security
|
||||||||||||||||||||||||||