Re: Password policy.
- Date: Wed, 14 Nov 2018 20:21:42 +0000
- From: Brian <ad44@xxxxxxxxxxxxxxx>
- Subject: Re: Password policy.
On Thu 15 Nov 2018 at 03:41:42 +1100, Andrew McGlashan wrote:
> On 15/11/18 2:51 am, Brian wrote:
> > And what is the value to an attacker in having /etc/shadow, assuming it
> > can be decrypted in a sensible time frame? Remotely logging in? Surely
> > not in these days of ssh keys?
> Well.... re-use of passwords.
> We all know that if you have a username (often times an email address)
> and the password used for that username, then there are too many places
> where that same credentials might be re-used elsewhere.
True, that is a possibility. But unless the attack is against a known
user whose habits are also known or that can be guessed, knowing the
password isn't dreadfully useful in itself.