Re: Prompting for passwords on the desktop?

Patryk Zawadzki wrote:
> On Fri, Sep 19, 2008 at 12:42 PM, Gustavo J. A. M. Carneiro
> <gjc inescporto pt> wrote:
>> Someone who has gained a user privilege could possibly show a fake
>> password input dialog that looks exactly like a "real" password prompt,
>> thereby learning the root password.
>> Same thing with VT swiching.  It shouldn't be hard to make the it look
>> like we are switching VT from a simple X11 program running as the user.
>> If the local user account has been compromised it seems to me that all
>> hope is lost.  So I don't really see the point of all this Trusted Path
>> complexity.
>> But I'm no security expert; I might be missing something.
> I believe the goal is to use some uncatchable keyboard sequence a'la
> Windows' secure auth (Ctrl+Alt+Del).

This works on Windows (on a domain) because the goal in those situations
is to have perfect and total single sign on. This has been watered down
in more recent (less coherent) Windows releases, but the goal was always
to prompt the user once and never prompt them again for any application
because the system uses kerberos.

In our mix of applications and protocols passwords abound, and it's less
likely that a Ctrl-Alt-Del style solution would be sufficiently usable.


Stef Walter

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]