I think what they're referring to is having access to the physicial harddisk. In linux terms it would equate to having a copy of the /etc/passwd file.
For example the FBI seizes someones computer. This would allow them to brute force without said restriction.
So yes, from an online, or standard entry viewpoint this is a moot point. Also a properly encrypted hard drive using something like truecrypt is still pretty impenetrable regardless.
I've grabbed the SAM file from remote IIS servers in my younger years and cracked the passwords locally.
Buffer overflow the web service, bind a command shell to a port running as the system account (by having the system execute shellcode used in the buffer overflow), netcat to your open port, ftp the SAM (located in the repair directory) to somewhere you can retrieve it, download the file, delete all of the logs, crack the file.
Hard drive encryption would have done nothing to prevent this.
> Hard drive encryption would have done nothing to prevent this.
And it's quite common in corporate environments for PGP Desktop HDD encryption to be setup to use the Windows password as the key to accessing the HDD encryption key(s).
For this reason we're advised not to put out laptops in sleep mode when transporting the laptop as someone finding the laptop could do something like the above (remote exploit and then get access). When coming out of hibernation PGP desktop requires the HDD password to be provided so that it isn't in an exploitable state.
Technically you want /etc/shadow as that is where the actual hashes are stored.
On a Linux system usually any user has at least read access to /etc/passwd but only root has /etc/shadow.
This attack would presume that you already have either physical access to the disk or you have already compromised the machine remotely to basically root or admin type level.
Of course being able to get the actual passwords of users would be useful to an attacker because they might be able to use them to elevate from access to one system to potentially other systems where users might well be using the same password.
Not sure how drive encryption with Truecrypt would work in this case. I presume password hashes are stored outside of the encrypted part otherwise every user would have to enter the volume key before they signed in regardless of their access level. Which would mean distributing the volume key widely.
Truecrypt is also vulnerable in the sense that it is often possible to grab the volume key straight out of DRAM if the computer is on or has only recently been switched off.
For example the FBI seizes someones computer. This would allow them to brute force without said restriction.
So yes, from an online, or standard entry viewpoint this is a moot point. Also a properly encrypted hard drive using something like truecrypt is still pretty impenetrable regardless.