From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 9ee0879e for ; Sat, 19 Oct 2019 13:46:15 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id E52119B853; Sat, 19 Oct 2019 23:46:13 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 6B6FE9B5C2; Sat, 19 Oct 2019 23:45:54 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 5CF419B5C2; Sat, 19 Oct 2019 23:45:52 +1000 (AEST) Received: from oclsc.com (oclsc.com [206.248.137.164]) by minnie.tuhs.org (Postfix) with SMTP id CC0379B57F for ; Sat, 19 Oct 2019 23:45:49 +1000 (AEST) From: Norman Wilson To: tuhs@tuhs.org Date: Sat, 19 Oct 2019 09:45:30 -0400 Message-ID: <1571492733.19343.for-standards-violators@oclsc.org> Subject: Re: [TUHS] Recovered /etc/passwd files X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" I'm amused (in a good way) that this thread persists, and without becoming boring. Speaking as someone who was Ken's sysadmin for six years, I find it hard to get upset over someone cracking a password hash that has been out in the open for decades, using an algorithm that became pragmatically unsafe slightly fewer decades ago. It really shouldn't be in use anywhere any more anyway. Were I still Ken's sysadmin I'd have leaned on him to change it long ago. So far as I know, my password from that era didn't escape the Labs, but nevertheless I abandoned it long ago--when I left the Labs myself, in fact. I do have one password that has been unchanged since the mid-1990s and is stored in heritage hash on a few computers that don't even have /etc/shadow, but those are not public systems. And it's probably time I changed it anyway. None of this is to excuse the creeps who steal passwords these days, nor to promote complacency. At the place I now work we had a possible /etc/shadow exposure some years back, and we reacted by pushing everyone to change their passwords and also by taking various measures to keep even the hashes better-hidden. But there is, or should be, a difference between a password that is still in use and one that was exposed so long ago, and in what is now so trivial an algorithm, that it is no more than a puzzle for fans of the old-fart days. Norman Wilson Toronto ON