On Sunday 07 October 2007 08:26:51 Lubomir Kundrak wrote: > > Leaking the information that a user exists or not is considered bad. > > Though I do not think that gdm is the right place to create user > accounts, I disagree with this statement. > > Knowing that an user exists or not is in principle about the same > dangerous as knowing whether a machine is up or not. Remember all the times that login programs or pam have been updated to fix timing attacks that sometimes reveal whether an account is valid? Let me show you one to refresh your memory (there are more): http://marc.info/?l=bugtraq&m=105172058404810&w=2 A successful account breach requires 3 things: a machine name, a valid account, and the password. Letting people know that an account is valid cuts the attack down to a dictionary attack. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
