True up to a point, that if someone has compromised your logs then your login
account isn't safe. But mainly because of privilege escalation threats. It's
more than possible that the permissions on your logs might not be quite tight
enough, whereupon if someone has hacked *any* unprivileged account (and there's
sure to be one with a weak password) he has the possibility of hacking other,
possibly more privileged accounts if hints to their passwords can be found in a
log. Even if perms on logs are ok, you might still end up with passwords in an
editor temporary file in /tmp. The only safe policy is to ensure passwords are
*never* stored or displayed in the clear.
If the burglar gets in the front door, you don't just wring your hands and say
"OK, here's the keys to my safe", you make sure you put barriers in his way at
every point you can.
There is a place for using password crackers (with full, signed permission from
management) for checking for weak passwords, but any other reason for logging
passwords (short of a full-blown forensic investigation) would need a pretty
convincing justification.
- Philip
Suppose your password is 'Open*SSH-3.9' (without the quotes). But
that's pretty hard to type on some keyboards with hyperactive Shift
keys, so maybe you fail by accidentally typing 'OPen*SSH-3.9', and
that gets logged. Now, someone gets hold of your logs (by whatever
means). Do you think your password is "safe" any more?
No, but even if my password is not logged in some log, I would think
my password was not safe if I knew that someone had gotten a hold of
the logs... If the system is compromised, then all bets are off.
It's that simple. Under such circumstances, you'd better change your
password, regardless (and re-install the OS from known-clean media,
and apply all updates before re-connecting it to the network, and)...
