| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200306042015.h54KFYYt062675@mailserver2.hushmail.com> From: tido at hushmail.com (tido@...hmail.com) Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Unless i am missing something, the addition of a "hard-key" would not be any better than a stored password. If you authorize the machine, or a piece of hardware plugged into the machine does not make a difference. What keeps another process/user/root/admin from requesting the password/authorization from the hard-key? (possibly a password that has to be entered by an admin? and the cycle continues) odiT Just because you're paranoid, doesn't mean that they are not out to get you... -----Original Message----- From: Pablo Solé [mailto:pablo_sole@....net.ar] Sent: Wednesday, June 04, 2003 2:19 PM To: full-disclosure@...ts.netsys.com Cc: IRCXpro Support Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords > Many programs need a private key for encryption. Possession of this key is usually part if not all of the decision for authentication. > > The only relatively safe way of maintaining this key on disk is to encrypt it and require a decryption password from the user when starting the process. > > Unfortunately, system admins have a beef with servers that restart and require an operator to input a password to get the >services up, especially in production environments. An example of this is when you run a https server with a signed cert and non empty passphrase. You need to put the key everytime you restart the service. IMHO, a solution could be some kind of hard-key (EEPROM connected to the parallel port). pablo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists