dlc@dlc.fac.cs.cmu.edu (Daryl Clevenger) (12/24/88)
In article <8594@alice.UUCP> debra@alice.UUCP () writes: >Requiring the use of a non-alphanumeric character is not at all sufficient. >Many people react to this by just putting a special character (usually ".") >in front of their old password... > (This post is just a humorous interjection, not a comment one way or the other. It does illustrate yet another example of a program that missed a boundry case.) A friend of mine that used to work for a research project here at CMU had an interesting thing happen to him related to this. His group had a few HP Bobcats running HP/UX and he was given an account on them. Upon logging in the first time, he was asked to change his password and required him to use at least one non-alphanumeric character (I don't know if it cared where it was put into the password string). Being relatively naive about UNIX and not knowing its history, he picked '@' as his special character, which /bin/passwd gladly accepted. Guess what happened the next time he tried to login? The system kept printing "Login incorrect" and he was certain he was using the right passwd. Finally, he called me up and related what had heppened to me. I asked him which special character he used, and I thought about it for a moment. Then I remembered that the default 'Kill line' character used to be '@'. I told him to type his passwd at the "login:" prompt (why not, nobody could use it for much as it was) and tell me what happened. My suspicions were confirmed when I heard the screams and cursing. Moral: All characters are special; some are more special than others. ------------ Daryl Clevenger dlc@cs.cmu.edu CMU CS/RI Facilities Staff --
ark@alice.UUCP (Andrew Koenig) (12/24/88)
In article <3934@pt.cs.cmu.edu>, dlc@dlc.fac.cs.cmu.edu (Daryl Clevenger) writes: > Being relatively naive about > UNIX and not knowing its history, he picked '@' as his special character, > which /bin/passwd gladly accepted. Why is this a problem? He just has to enter `@' as `\@'. -- --Andrew Koenig ark@europa.att.com
debra@alice.UUCP (Paul De Bra) (12/25/88)
In article <8598@alice.UUCP> ark@alice.UUCP (Andrew Koenig) writes: ]In article <3934@pt.cs.cmu.edu>, dlc@dlc.fac.cs.cmu.edu (Daryl Clevenger) writes: ]> Being relatively naive about ]> UNIX and not knowing its history, he picked '@' as his special character, ]> which /bin/passwd gladly accepted. ] ]Why is this a problem? He just has to enter `@' as `\@'. ]-- ] --Andrew Koenig It is a problem because of the inconsistency: the password he gave to the passwd program is NOT the password he has to type to log on. Passwd should have treated the char @ the same way login does, even if this user has a different kill-line character, because login will use the default. Paul. -- ------------------------------------------------------ |debra@research.att.com | uunet!research!debra | ------------------------------------------------------
ado@elsie.UUCP (Arthur David Olson) (12/25/88)
> > . . .[a user] picked '@'. . .which /bin/passwd gladly accepted. > Why is this a problem? [The user] just has to enter `@' as `\@'. The problem is that /bin/passwd fails to tell the user the above. -- Arthur David Olson ado@ncifcrf.gov ADO is a trademark of Ampex.