chris@trantor.umd.edu (Chris Torek) (02/16/88)
In article <468@minya.UUCP> jc@minya.UUCP (John Chambers) writes: >If VMS can actually determine that you have used the same password, then it >is either keeping your unencrypted password somewhere, or it encrypts it the >same each time. Either is a major security hole.... Neither is necessary. Using the `salted DES' approach, you could just store the old encrypted passwords somewhere, and compare against each one in the same way you compare against the current one at login. Knowing VMS as superficially as I do :-) , however, I would stay suspicious until someone outside of DEC marketing claims it is secure :-) . -- In-Real-Life: Chris Torek, Univ of MD Computer Science, +1 301 454 7163 (hiding out on trantor.umd.edu until mimsy is reassembled in its new home) Domain: chris@mimsy.umd.edu Path: not easily reachable
dhesi@bsu-cs.UUCP (Rahul Dhesi) (02/17/88)
>>If VMS can actually determine that you have used the same password, then it >>is either keeping your unencrypted password somewhere.. Probably not, but if you mistype your password a number of times, it is quite likely that what you type will be recorded in hard-copy on the operator's console. -- Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee,uunet}!bsu-cs!dhesi
mikel@codas.att.com (Mikel Manitius) (02/17/88)
In article <2133@bsu-cs.UUCP>, dhesi@bsu-cs.UUCP (Rahul Dhesi) writes: > > Probably not, but if you mistype your password a number of times, it is > quite likely that what you type will be recorded in hard-copy on the > operator's console. We had that problem here when we modified login to show unsucessful login attempts on the console. Login would print the login name and date of the unsuccessful attempt. We soon learned that often over-anxious users type their password at the login prompt, resulting it it's showing up on the console. That soon changed to a "secure" file. -- Mikel Manitius mikel@codas.att.com
dhesi@bsu-cs.UUCP (Rahul Dhesi) (02/17/88)
I accused VAX/VMS of: >> ...if you mistype your password a number of times, it is >> quite likely that what you type will be recorded in hard-copy on the >> operator's console. In article <2500@codas.att.com> mikel@codas.att.com (Mikel Manitius) writes: >We soon learned that often over-anxious users type their password at >the login prompt, resulting it it's showing up on the console. That is true, but in the case of VAX/VMS, you don't have to accidentally type your password at the "Username:" prompt for it to appear on the console. It's enough to be unable to log in a number of times, and this helpful operating system will make a console record of the username *and* the password that were typed. -- Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee,uunet}!bsu-cs!dhesi
evan@saturn.ucsc.edu (Evan Schaffer) (02/18/88)
>In article <2500@codas.att.com> mikel@codas.att.com (Mikel Manitius) writes: >>We soon learned that often over-anxious users type their password at >>the login prompt, resulting it it's showing up on the console. > >That is true, but in the case of VAX/VMS, you don't have to >accidentally type your password at the "Username:" prompt for it to >appear on the console. It's enough to be unable to log in a number of >times, and this helpful operating system will make a console record of >the username *and* the password that were typed. >-- >Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee,uunet}!bsu-cs!dhesi You must have a very strange version of VMS. Harvey Mudd College has several VMS systems, and a casual look at the login records on the console shows no sign of the user's passwords being printed out. +------------------------------------+---------------------------------------+ | Michael Wolf | An old Scandinavian quote: | | BITNET: wolf@ucscj.BITNET | "You can lead a herring to water, | | ARPA: wolf@ssyx.ucsc.edu | but you have to walk real fast, | | UUCP: ...ucbvax!ucscc!ssyx!wolf | or else he'll die." | +------------------------------------+---------------------------------------+
arosen@eagle.ulowell.edu (MFHorn) (02/21/88)
In article <1996@saturn.ucsc.edu> wolf@ssyx.ucsc.edu (Michael Wolf) writes: >>In article <2500@codas.att.com> mikel@codas.att.com (Mikel Manitius) writes: >>>We soon learned that often over-anxious users type their password at >>>the login prompt, resulting it it's showing up on the console. >> >>It's enough to be unable to log in a number of >>times, and this helpful operating system will make a console record of >>the username *and* the password that were typed. > >You must have a very strange version of VMS. Harvey Mudd College has >several VMS systems, and a casual look at the login records on the >console shows no sign of the user's passwords being printed out. This is all configurable by your system manager. S/he can set it up so if you get n invalid login attempts (ie. if the system detects a possible breakin attempt), it starts reporting them to the log file and/or operator terminals (like the console, usually), password and all. I think n is also configurable. This can be turned on for the different types of logins, interactive, network, batch, etc. (7 in all), or turned off completely. I still think printing the password under ANY circumstance is wrong. If you think someone is trying to crack a password, change it. Andy Rosen | arosen@hawk.ulowell.edu | "I got this guitar and I ULowell, Box #3031 | ulowell!arosen | learned how to make it Lowell, Ma 01854 | | talk" -Thunder Road RD in '88 - The way it should be Andy Rosen | arosen@hawk.ulowell.edu | "I got this guitar and I ULowell, Box #3031 | ulowell!arosen | learned how to make it Lowell, Ma 01854 | | talk" -Thunder Road RD in '88 - The way it should be