Password security - Another idea

[Dave Caswell]

Barry Shein) writes:
  Hiding something indicates that it is dangerous if revealed. It says,
  basically, that encryption technology is inadequate and cannot be made
  to work, the only reasonable protection is secrecy. Do we honestly
  believe this? Or, worse, do we believe that security is attained by
  layering anything we can think of onto the system?

If people have no reason to look at encrypted passowrds and it is easy to make
sure they can't look, why not have hidden passwords?  There are plenty of
computer systems that don't show users encrypted passwords and I don't 
automatically think they are hiding something or they have inadequate
technology.   Secrecy isn't a fair word; if everyone is the neighborhood
has curtains do you call them practicing secrcy or do you call the person
dressing in front of the open window an exhabitionist.  I don't consider
it layering anything onto the system; I consider it almost free protection
of material that people don't need to look at anyway.  Or to look at it 
another way; if all systems had shadow password files could you imagine
yourself arguing to show people the encrypted passwords to prove that
you had adequate technology?  Are you fighting change just for sake
of preserving the status quo?


-- 
Dave Caswell (former EMU student)
Greenwich Capital Markets                             uunet!philabs!gcm!dc