Just to be clear, I obtained the passwords (including root) with "crack", but I NEVER used them. I did not ever attempt to log into any account that I was not authorized to use. All I did was to notify the actual administrator of the system about the security issues. The issues being both that even through "shadow passwords" was working properly, one could still obtain encrypted passwords by using "ypcat passwd", and that some users (including him) were using insecure passwords. The user who panicked and called my boss had just assumed that I accessed his Windows account. Oh, and there were never any hard feelings between us after that. We are still friends today.

I'd still be super careful doing that without explicit written authorisation. You "got away with it", not everybody does. (Although I'll note he admits to having made some "stupid" decisions which perhaps you avoided. And I'm guessing he knowingly or unknowingly pissed off someone powerful enough to push through 3 felony convictions, even if they were borderline enough to be completely expunged 12 years later. You never want to piss those guys off without appropriate in-writing justification):

https://www.washingtonpost.com/archive/business/1997/09/15/t...

"He installed a program called "Crack" that automatically guesses passwords. Like most tools, it's used by both good guys and bad guys, by those who abuse computer systems and by system administrators who want to find out whether users are avoiding such easy targets as plain English words. It's even distributed by the Computer Emergency Response Team at Carnegie Mellon University.

He installed the program without telling his boss, something that he today admits was "stupid." But the program proved his point: Crack quickly guessed nearly 50 passwords of the 600 users of that system -- one belonging to a company vice president. Instead of reporting the company's security problem right away, Schwartz has said, he decided to continue testing. Again, he admits in hindsight, "stupid."

Other system administrators discovered the program and traced it back to Schwartz.

Schwartz insisted he never used the passwords for any nefarious purpose, and said he only acted because the company's lax security bugged him."

Oh, and another good story from when I still had the same boss. A few years later I thought I would prank my office-mate (and show how easy it was to spoof email headers). This was back in the days with SMTP didn't have any security. From a hallway computer (not directly traceable to me), I composed a "You're Fired!" email from my boss to my office-mate. My office-mate had an east-European surname that was easy to misspell and I did. So the email bounced back to my boss and my office-mate never saw it. My boss knew right away who was responsible. He laughed.

All very true! My story is from about 10 years before Randal's, but it was after the CFAA was passed so I guess I dodged a bullet.

I was defacto 'network admin' at one company. One guy I warned off the porn (dont care you look just do it at home on your own line). He got mad and yelled at the owner and got my privs revoked on the network by bullying one of my other co-workers. My boss took them back and then added even more just to make the guy look bad. Lesson learned. Just block it and do not say anything if you are not in authority to say so. If they complain 'you will look into it'.