Finding Passwords
Scott L Fields
slfields at uokmax.ecn.uoknor.edu
Tue Sep 25 01:18:24 AEST 1990
In article <12165 at chaph.usc.edu> jeenglis at alcor.usc.edu (Joe English Muffin) writes:
>>though I don't know) make the first login prompt "<hostname> login:", and
>>switch to plain "login:" if an incorrect password is entered. This disables
>>login trojans by making them unconcealable.
>
>Yeah, but by the time you realize that
>login isn't displaying the right prompt,
>it's too late to do anything. The password-
>snarfer could also exec /bin/login instead of
>exiting, which would make everything look
>right (it's getty that displays the hostname,
>etc., not login.)
>
>Of course, getting into the habit of always
>typing a bogus username & password when
>you first sit down at a terminal will defeat
>most simple-minded login trojans, if you
>want to be paranoid about it.
The point in the previous case is to immediately change your password if you
spot the trojan after logging in. A better idea might be to hit break before
logging in. Always the possibility of landing in the trojans account.
More information about the Comp.unix.internals
mailing list