[2833] in bugtraq
Re: Write-only devices (Was read only devices)
daemon@ATHENA.MIT.EDU (aleipold@clark.net)
Thu Jun 27 19:27:50 1996
Date: Thu, 27 Jun 1996 17:50:52 -0400
Reply-To: aleipold@clark.net
From: aleipold@clark.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <9606272041.AA15776@albano>
> I think you should log more than just valid usernames. In logging code
> I wrote once I logged all usernames that had one of the following
> characteristics:
> - existing user
> - only alpha numeric characters, starting with an alpha
>
> While that may still log passwords, it only logs weak passwords.
Take it a step further. In messing around with sources to deamons
I figured the best way to do this would be: (note, don't do this on system
with lots of accounts). I knew that a computer (586) can do about 1200
crypts per second. So then I:
while (accountsleft)
oops=crypt(words,salt[a-z]);
if oops=rightpassword then don't syslogit
otherwise:
syslog("oops...");
