Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'don't bother; it's easy to crack your password no matter how long it is' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
don't bother; it's easy to crack your password no matter how long it is
Authored by: iRideSnow on Dec 07, '04 04:18:13PM

I don't know about method 2, but I tried method 1 on /private/var/vm/swapfile0, searching for my full login name, my short login name and even my password itself. Only the short name was found. This is with 10.3.6.

So, if this is a hole, it's either been fixed, or it's not consistent, or only comes into play if you don't have a lot of memory (I have 1G). Besides, you need admin privs to view/manipulate the swapfile anyway. So I don't really see how it's much of a hole seeing as how you have to either know the root/admin password anyway or go through some other contortions in order to somehow gain access to the swap file without knowing the admin password. And if you can do that, you probably already have pretty good access to the system and don't really need the admin password. No computer is 100% secure, especially when you have physical access to it. I mean, why not just remove the disk drive and dump the contents to a giant file! You're sure to find lots of cool stuff then!

Rob



[ Reply to This | # ]
don't bother; it's easy to crack your password no matter how long it is
Authored by: zojas on Dec 07, '04 04:58:34PM

your login password can be written to the swapfile after you run sudo or are asked to authenticate by the gui. I have 640mb of ram on my system, and have seen my passphrase in the swap file.

if your login password can be recovered, it can be used to unlock your keychain, which depending on how you use it, can then be used to unlock your filevault volumes.



[ Reply to This | # ]
don't bother; it's easy to crack your password no matter how long it is
Authored by: Anonymous on Dec 09, '04 10:51:14PM

It's good practice to have the keychain password different from the login password, for this reason.

Even if you have my login password, you would not be (easily) able to inspect my mail, ssh info or gpg keys (which are symlinked to an encrypted disk image) unless you provide the passphrase for my keychain.

[ Reply to This | # ]