Replies

Neither the Linux nor the Windows password systems need to be invulnerable to all possible attacks in order to be sufficient and useful for the vast number of uses.

Of course not, that's why I said hardening Linux's passwords would just be for the really paranoid.

Your suggestion that this makes Windows "inferior" to Linux systems is a pile of crap. In order to do hash lookups, you're going to need access to the password hashes.

Yes, in both the Windows and Linux cases you need access to the machine. Now that we've gained access to both systems, I am stumped by the Linux box and can get all of the passwords off the Windows box in a few minutes. Now I can access all of those users' files (even encrypted) on that machine and throughout the network, wherever those users have permission.

Which one's more secure? We both know security isn't a matter of stopping crackers, but in making it too difficult for them to bother. Unfortunately, Windows passwords are no longer difficult to crack.

Need to replace Windows authentication? No problem. See pGina. The source code is readily available.

Congratulations, you found one. I wonder why the earlier proponent of this hadn't been able to produce it. In any case, it shows that security can be increased (definitely a good thing), but as you know we usually stick to what's in the box, not something I've never seen used, not even in a Top Secret environment.

Yes, in both the Windows and Linux cases you need access to the machine. Now that we've gained access to both systems, I am stumped by the Linux box and can get all of the passwords off the Windows box in a few minutes. Now I can access all of those users' files (even encrypted) on that machine and throughout the network, wherever those users have permission.

This is the kind of nonsensical post that I've come to expect from you. Ask any security expert about this issue. If you have physical access to a machine, it doesn't matter which OS is installed: It can be compromised. Complaining that it's easier to get passwords from Windows than Linux is a waste of bandwidth because BOTH CAN BE COMPROMISED. So give it a rest. This isn't a meaningful or honest debate.

Congratulations, you found one. I wonder why the earlier proponent of this hadn't been able to produce it. In any case, it shows that security can be increased (definitely a good thing), but as you know we usually stick to what's in the box, not something I've never seen used, not even in a Top Secret environment.

Sigh. I don't know why I have to keep explaining this for you. You use whatever security is appropriate for your needs. Smart admins don't just use whatever comes in the box. Higher security environments require more stringent protections: smart cards, locked labs, etc. Security requires a tiered approach that encompasses far more than a choice of which OS to use. You should know that by now. Sadly, you're so preoccupied with proving that one or the other is "inferior" that you completely miss the point.

get all of the passwords off the Windows box in a few minutes.

That is a flat out lie! I'll bet you your yearly salary that you can't do that on my windows box. Also the Linux box IS vulnerable if the password length and salt isn't long enough. The same applies to Windows. Geesh, it's like I'm talking to someone that has no short term memory.