Finding Passwords

Marcus J. Ranum mjr at hussar.dco.dec.com
Sat Sep 29 01:37:38 AEST 1990


In article <BZS.90Sep28014217 at world.std.com> bzs at world.std.com (Barry Shein) writes:
>One simple and non-intrusive defense against most such attacks would
>be if, on successful login, the system would just tell you how many
>unsuccessful login attempts there have been on your account.

	This can be done with the trivial addition of a single field to
the lastlog file. I did this once, as a lunchtime hack, with a check to
see if the counter got over a certain value, at which point the login
was disabled until root reset the user's entry. Needless to say, the
root login's counter wasn't checked (root uses a secure tty, anyhow).

	It requires some trivial mods to login, and (unfortunately)
breaks compatibility between utmp and lastlog (unless you want useless
fields in your utmp).


mjr.



More information about the Comp.unix.internals mailing list