[Fedora-directory-users] boot time startup requires password

Kevin Myer kevin_myer at iu13.org
Fri Jul 8 15:51:48 UTC 2005

Quoting Brian Jones <bkjones at gmail.com>:

> Thanks, Kevin.
> Can I make a feature request to whoever sees this that is way better
> at Java/C than me to at least make the stored password crypted in
> something stronger than rot13?

Just my opinion, but its kind of moot what format its stored in, as 
long as its
a reversible cipher.  An attacker need only see the ciphertext.  Obscurity
provides only one thing - it raises the bar to actually use the password, in
that it requires an attacker to do a minimal amount of work to figure out what
the plaintext is.  If the server daemon can use a reversible process to obtain
plaintext, then so can the attacker and they need to do that work 
first, before
they can just type it in.  So the note in the documentation about not using
this mechanism for storing passwords on an unsecured system is 
definitely to be

I've seen a number of debates about the merits of obscuring passwords in other
contexts - in one case, the decision was apparently made that it wasn't even
worth the hassle to obscure the password and it was echoed onto the screen of
the browser, since in theory, only administrators could access that 
screen. I'd be interested to see what others think about obscuring the 
admin password.

Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13  http://www.iu13.org

More information about the Fedora-directory-users mailing list