Finding Passwords
Barry Shein
bzs at world.std.com
Fri Sep 28 15:42:17 AEST 1990
One simple and non-intrusive defense against most such attacks would
be if, on successful login, the system would just tell you how many
unsuccessful login attempts there have been on your account.
This could be accomplished via a database only writeable by root. Of
course, the printout could just be the output of a simple program run
in your login script (itself somewhat secure, reporting only on the
real uid, but that's not so critical as it's the ability to increment
the count or zero it out which must be secure, not just report it.)
Being as most of these programs would tell you you mistyped your
password (after squirreling it away) seeing "Unsuccessful logins: 0"
would indeed be suspicious a moment later. You would change your
password immediately and report it if appropriate.
Such a program would also let you know if someone has been trying to
guess your password (Unsuccessful logins: 123).
Of coure, if they broke into that db then who cares, they have root
access, you're dead meat anyhow.
--
-Barry Shein
Software Tool & Die | {xylogics,uunet}!world!bzs | bzs at world.std.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
More information about the Comp.unix.internals
mailing list