Re: CRYPT

From: Chris Herringshaw (xxviper@med.umich.edu)
Date: 04/22/95


Well, I believe at this point we are talking more about ethics 
than a security risk.  The risk is not so much that a hacker
can penetrate your system (which they can), but that an
unethical administrator can procure player passwords, which
as Andy pointed out, are often related to unix passwords,
or player on another mud game.  Most users are not smart
about choosing passwords, which is as close to a fact as it needs
to be in this case.

====================================================================
Christopher Herringshaw     Networking and Special Projects Division
Medical Center Information Technology (MCIT)   xxviper@med.umich.edu
University of Michigan Medical Center, B1911 CFOB
1414 Catherine Street, Ann Arbor, MI 48109-0704       (313) 747-2778
====================================================================

On Sat, 22 Apr 1995, Spawn@KrimsonMud wrote:
>
> Anyway, this is ridiculous.  Everyones complaining about crypt() being a 
> security risk... Well, any decent hacker that can get into the shell and 
> use the mudpasswd.c (whatever), modified of course, to change anyones 
> password in the game without knowing it.  Not to mention purgeplay.  Yes, 
> it's entirely possible that in a text file the same hacker can set up his 
> level, play arond with things, but you can easily change that back and 
> site ban provided it's straight ASCII.  What are you going to do in the 
> other case?  Purge the entire player file because a person changed a 
> password or used a modified purgeplay to set the delete flag on anyone 
> they want....  REALLY safe there.
> 
> 



This archive was generated by hypermail 2b30 : 12/07/00 PST