The iPhone is insecure, the iPod is unreliable, and OS X is a virus target waiting to happen. But that’s not all.
If you have been running Mac OS X since 10.2.8 or before, and your password has more than 8 characters, your upgrade to Leopard will cause you to lose access to your user account. That means booting up into single-user mode.
How on earth did:
a. This bug get introduced
b. This bug not get detected at some point during development
c. Anything change in password management between the 10.2 and 10.3 series?
My alternate password has 9 characters, so if I was a Mac user I’d pretty much be buggered. I thought the "Industrial-strength Unix base" would follow Unix convention and put hashed passwords into /etc/shadow with an appropriate salt. Now that I’m thinking about it, the whole thing sounds like a 1-number-out programmer error is to blame when determining the salt to use, but I still can’t imagine how any Apple developer would even touch such a time-tested authentication system; unless of course it was "enhanced" (crippled) by Apple at some point for some godforsaken reason.
We all know that Apple was going to lock down the iPhone until hackers made a mockery of its "closed platform"; well now Apple wants to lock down your entire computer so you don’t have administrative access. More likely is that their shithouse modifications to the authentication system have completely buggered up the sudoers file too, converting the default administrator account to a standard account.
Sigh. And Apple wonders why only Mac zealots want to run OS X on servers.
The article where I learnt about these security-related problems also yields some very telling comments from readers:
I currently have one account on my PowerBook G4, which is an admin
account. I know, I should really run as a standard user, but it’s
tiring having to enter a password every time I install a new app or
move something in the hdd folder. So, should I create a second admin
account?
No, moron! You’re already logging into one too many administrator accounts. STOP LOGGING IN AS ROOT. Log in as ordinary user and accept that you have to enter your password occasionally. Security through obscurity (PPC chip) has saved you thus far, but don’t push your luck; if you downloaded a virus or some sort of malicious script tonight, your computer would be completely compromised, and many late Unix veterans would be spinning in their graves.
And as for your suggestion of creating a second admin account: Well, you’re doubling your chances of getting your passwords cracked. It’s a really dumb idea to have two admin accounts for one user, for this purpose (and for others).
My accounts disappeared and they each had a 1 character password. I haven’t seen this mentioned anywhere so far.
Congratulations, you get my vote for non-Windows-computing dumbass of the year. What is the point of a password if it’s one character? It can be cracked in less than a quarter of a second, even if it’s not alphanumeric. You wouldn’t have known this, but various hashing techniques can be dehashed fairly easily too if it’s just hiding one character. I hope for your sake that Apple uses a salt to make the hashing stronger.
No websites will let you have a password that is less than 4 characters; didn’t it occur to you to use the same password for the web as you do for the computer, and therefore have a stronger computer password?
Entries (RSS)