Edward Leiper wrote:
> DM <dont_spam_me@reply_to_group.instead> writes:
>
>
>>Some md5, etc yoda would be able to confirm/deny that, or shed more
>>light on it.
>
>
> Based on mathematical functions they are. Deduce input from output
> you cannot. To crack, every input try you must. Thus useful for
> password storage they are!
>
> For understanding, read this you may:
>
> http://en.wikipedia.org/wiki/Hashing_function
Very cute. The wikipedia.org is a wonder. It will become (if it isn't
already) a world treasure.

One very important not about passwords. If you have a stupid password,
like your login name and someone knows your logion name, your are dead
meat. If you have a short stupid password you are at risk. If you have a
fairly complex longish password you are probably pretty safe.

I had one user named Alan whose user name was "alan" and who changed his
password to "alan". An SSH script exploit got into his user account.
Luckily there wasn't anything interesting there and the invader got no
further and went elsewhere.

Since then I no longer let users change their passwords, and I give them
reasonably strong passwords with upper and lower case, punctuation, and
numbers. I change their passwords monthly. I have restricted SSH logins,
and use public/private keys only (no more passwords). My users aren't
happy, but they (and my systems) are much safer.

A strong password and good system policies are a pretty hard nut to
crack. On the other hand weak passwords and no policy is asking for
visitors.

If your system uses MD5 passwords and shadow files that are only
readable by root you are pretty safe as long as you have a really good
root password and change it once in a while.

That's my opinion, I could be wrong.