Finding Passwords

[Edward Luke]

In article <11133 at galbp.LBP.HARRIS.COM> mhw at wittsend.syntrex.com
(Michael H. Warfield (Mike)) writes:

>	It is possible to "catch" passwords while they are being typed at a
>terminal, but this generally requires intimate knowledge of the system and
>often requires superuser priviledges.  A typical "trogan horse" attach would
>be to leave a dummy "login" program on the line to catch the next guy's login.
>You give him a bogus "Incorrect login" and drop out to let getty give him
>a legitimate shot at loging in.  Normal system security for terminal devices
>and honest, diligent system administrators can prevent most of this or make it
>so difficult, it's not worth the effort.

Unfortunately this is not true.  Trojan Horses are very easy to
implement, and they don't require super user access.  All an evil
trojan horse writer would need is access to that terminal...  Log in,
run login program that looks identical to the normal login procedure.
This proceduer would snarf up the passwd, tell the user "Sorry wrong
password", and then exit back to the real login procedure.  If your
terminal is in a highly accessible location, a trojan horse is certainly
an option for obtaining passwords.

Edward Luke                              lush at ee.msstate.edu
Mississippi State University
NSF Engineering Research Center for Complex Field Simulation