Multiple Root ID's considered evil?

[tom reingold]

On the subject of "Multiple Root ID's considered evil?",
tchrist at convex.com (Tom Christiansen) writes:

$ Some site are known to have multiple uid 0 accounts so not 
$ everyone needs to know the root password.  I seem to recall
$ that this is considered a poor idea for security reasons.
$ Could someone please explain why?

The practice of having multiple privileged logins is criticized because
it is said that this gives the cracker more chances at cracking a
privileged password.

I disagree with this outlook.  While it is true that the cracker has
more chances, I think this is more than outweighed by several
advantages.  Primarily is that people -- who even trust each other --
don't share passwords.  Therefore, when you need to give out a
superuser password temporarily, you don't give out the one that
everyone knows and depends upon staying the same.  Instead you make a
temporary one and destroy it later, leaving the regular superuser
passwords in place.

Another small advantage, not to be counted upon heavily, is that
crackers who don't have your password file may start by assuming that
there is a "root" login and try to crack that password.  If you have a
"*" as the password field, you rest assured that the cracker can try
all he likes at that account.

Tom Reingold                   |INTERNET:       tr at bellcore.com
Bellcore                       |UUCP:           bellcore!tr
444 Hoes La room 1H217         |PHONE:          (201) 699-7058 [work],
Piscataway, NJ 08854-4182      |                (201) 287-2345 [home]