inde5wl@jetson.uh.edu (03/19/91)
I am a amatuer VAX user. I have recently come across a small bug. Some VAX operating systems remember old passwords and prevent you from using the same password if you wish to change it again. Q: How could I display all my previous passwords? Why do I ask? Well I like to learn about the system by trying to do the impossible. And obsession is my worst vice. I wont rest until I find the answer. Somebody please help. ------------------------------------------------------------------------- elroy::inde5wl computers were made to run hell not earth...... ------------------------------------------------------------------------
marra@samuel.enet.dec.com (Dave Marra) (03/19/91)
>inde5wl@jetson.uh.edu writes: >I am a amatuer VAX user. I have recently come across a small bug. Why is it that if it isn't anything like U*ix or DOS, it's a bug? Have you ever heard of security? >Some VAX operating systems remember old passwords and prevent you >from using the same password if you wish to change it again. Which ones? Ultrix, VMS, OSF/1? Which VAX operating system. Actually, I've never heard of a "VAX" operating system. Is this much like the VAX vacuum cleaner found on Sears stores now? >I wont rest until I find the answer. Happy unrest.... .dave. + Dave Marra + TMF Engineering + X11/Motif/Shared Library Performance, Regression, and Validation suites + Currently working AT DEC in Merrimack, NH
rcomarow@dave.mis.semi.harris.com (Bob Comarow) (03/19/91)
What makes you think that not being able to display passwords is a bug?
tihor@acf3.NYU.EDU (Stephen Tihor) (03/20/91)
Tsk. THe best reference is the guide to system security. Since passwords on modern operating systems are only stored after a one one encryptions/hash it is impossible to recover the old ones directly. Since modern operating systems stop the user authentication base in an area not readbale by the user community you can;t even get at the old hashed values to compare with except by using the system services (os calls) provided for that purpose.
okunewck@psuvax1.cs.psu.edu (Phil OKunewick) (03/20/91)
In article <8819.27e524ea@jetson.uh.edu> inde5wl@jetson.uh.edu writes: > >I am a amatuer VAX user. I have recently come across a small bug. >Some VAX operating systems remember old passwords and prevent you >from using the same password if you wish to change it again. >Q: How could I display all my previous passwords? >Why do I ask? Well I like to learn about the system by trying >to do the impossible. And obsession is my worst vice. >I wont rest until I find the answer. >Somebody please help. "That's not a bug; that's a feature." This sounds like a poor attempt to get cracking advice. Now, I'm not accusing anybody here; just pointing out the resemblance. Basically, it's really not the sort of request you want to make publicly. First, a good password system does not allow anybody to list passwords; only verification is allowed. There are ways of making password listing impossible, even if you can read the file passwords are stored in. That's all I'm going to say on the subject, and I don't think the net is the place to expand on this farther. Next, asking publicly on the net for password-cracking advice is STUPID! How many people do you think read this newsgroup? How many would-be crackers do you think would snarf up anything that gets posted on the subject, and use it for unethical (and probably illegal) purposes? AN ALTERNATIVE: There is a _lot_ you can learn and do with a system, instead of password cracking. Listing old passwords is not a worthwhile endeavor - what do you _really_ gain? Find a manual on your system; explore other things. Do you have any idea of the archetecture of your processor? Look into it. Figure out how to whip together some code, optomized for your system (which will be slow on other systems, of course). How about Disk I/O, or I/O in general? Now, _that_ info is worth knowing. A tested/tried/true hack is playing music on the lineprinter - the end result is not worth much, but it's a neat hack and what you learn in the process is very useful. Try hacking your system's editor to behave like another system's editor - that's a fun one. (This is a good hackitude test - a normal user will say "Dumb - why bother?", but a hacker will say "Neat.")
marra@samuel.enet.dec.com (Dave Marra) (03/20/91)
I appologize for my rather rude comments this morning. I spent yesterday
talking with someone about the mispercetptions people have of operating
systems
other than the one they learned from to start.
Anyway, I'm sorry for the outburst.
As the other replies indicated, you can't get to your old passwords.
What you can do
is to modify your UAF entry such that you do not have to change your
password
at all. This way you can set it to anything you want and VMS won't
expire
the password on you. Do this with the command:
$ set def sys$system:
$ run authorize
UAF> modify <username> /PWDLIFETIME=0/PASSWORD=("foo","bar")
UAF> exit
$
this will provide the user with a password that will not have to be
changed, and, will
also give the user two passwords, the first will be 'foo' the second
will be 'bar'...
hope this help.
.dave.
nieland_t@kahuna.asd-yf.wpafb.af.mil (03/24/91)
In article <8819.27e524ea@jetson.uh.edu>, inde5wl@jetson.uh.edu writes: > > I am a amatuer VAX user. I have recently come across a small bug. > > Some VAX operating systems remember old passwords and prevent you > > from using the same password if you wish to change it again. > > Q: How could I display all my previous passwords? > > Why do I ask? Well I like to learn about the system by trying > > to do the impossible. And obsession is my worst vice. > > I wont rest until I find the answer. > > Somebody please help. > > -- 1. The password history is a feature of VMS 5.4, not a bug. DECUS asked that this feature be included in VMS and DEC added it. 2. Old passwords are not stored on the system, just the old has values. When a new password is requested, the system checks the hash value of the new password against the stored list of old hash values. If it finds a duplicate it complains about the password. 3. The only way to "find" and list the old passwords is to run a random character generator against the hash list until it randomly generates the old passwords. Please note that while this type of program is rather easy to write and get running, it uses lots of CPU time. I would estimate about five to six hours on a VAX 9000 to come up with the list of old passwords for one user. Ted Nieland nieland_t@kahuna.asd-yf.wpafb.af.mil Control Data Corporation nieland@dayfac.cdc.com (513) 427-6355 ted@nieland.dayton.oh.us