e: Win NT Authorization problems... the *real* fix you are looking for.
David Collier-Brown
davecb at Canada.Sun.COM
Mon Mar 23 12:50:36 GMT 1998
You said:
| 1) No sane administrator would want to defeat encrypted password by
| allowing clear text passwords in the registry if they didn't have to.
Actually that's MS doing a ``Fear Uncertainty and Doubt'' on us...
in a previous life as a professional paranoid (security person), I
got asked why Unix (including B2 Unix) didn't obfuscate passwords
passing across the net.
The answer is that the cost of obfuscating passwords was
only a little less than encrypting, passwords and data both, and
there weren't enough cycles available to encrypt the data. So
encrypting passwords but no the data the passwords protected was a
lov-value high-cost exercise.
The MIT folks invented an elegant workaround, and
encrypted a challenge to be decrypted by the password, but did so
using (1) a dedicated fast server and (2) a willingness to let the
client (and its user) sit and wait.
Now that we **DO** have enough cycles to encrypt everything, I
do. I use Skip (http://skip.incog.com/), even on my wife's PC. It's
free and fast, and it encrypts everyting is an IPsec-oriented way.
I used to refer to MS's scheme this as ``wearing steel glasses
to protect your eyes in battle''. You still get killed by bullets to
the heart, and never know when to duck!
--dave (hmmn, didn't I just say that?) c-b
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | davecb at hobbes.ss.org, canada.sun.com
M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb
More information about the samba
mailing list