ac02%ntvaxa.DECnet@UTADNX.CC.UTEXAS.EDU ("NTVAXA::AC02") (12/29/87)
> The question is: given an arbitrary hashed password can you easily >derive the origional? The fact is that *ANYONE* with access to the UAF can get >all the hased passwords for all the users on the system ... this does not give >you access to all the accounts however. This is true. The easy solution to this is NOT to give anybody outside of the SYSTEM access to the UAF files i.e. (RWED,RWED,,). I have my UAF setup that way and it works. > > Darn right. A program can pull UAF data for whatever UIC happens to > EXECUTE it, NOT just the one that OWNS it. That is a very possible occurence. There are steps a system manager needs to take to limit these problems. If a user wants to put a program in a public area, make him give you the source. You scan the source very quickly and search for dangerous system service calls $GETUAI, $SETUAI, RMS stuff with the protection XAB, etc. Recompile the source yourself because the user could give you one source program and another executable program. Let the user know you are going to do this. While it is true that you could miss something in your search, the user will be afraid of being caught and probably won't give the program to start with if there is something in it. Note: this scheme is not prefect, but is about as good as you can do. The other case is user A writes a program, gives the world access to it. User A tells user B about it. User B runs the program and it put a neat graphics display on the screen, but meanwhile records his hashed password. There is NOTHING that you can really do about this except to warn the users who probably will think you are paranoid when you tell them this. I have yet to know of an occurence of either of these two at my site. The password problems that do occur somewhat regularly are: 1. Users not being careful about typing in the password where no one can see it. 2. Using the same password on different systems. I hate to admit it, but I got burned on a UNIX system due to this one. I had my MUSIC, non-priv VMS, and UNIX accounts with the same password. Somebody somehow figured out one of them out and got into my UNIX account and tried from there to break in an instructor's account and the system manager's account. Fortunely, I had known the system manager for a long time, and he believed that I had nothing to do with it. I have been a lot more careful since and it has not happened again. By the way UNIX security is real joke, VMS security is light-years better. 3. Users just leaving their terminals logged in. They left and don't come back. 4. Users giving out their passwords to other people. 5. The DECnet access strings of the form node"userid password":: are more trouble. Summary: It is possible for someone to always figure out a way to break in other people accounts, but if you take adequate measures, you can eliminate the majority of all breakin attempts. Try to figure out who the hackers are. Even in a university envirnoment you can usually figure who they are by watching for unusual actions. ================================================================================ Billy Barron Bitnet : BILLY@NTSUVAX or AC02@NTSUVAX VAX Programmer/Operator TEXNET : NTVAXB::BILLY or NTVAXB::AC02 North Texas State Univ. Internet : billy%ntvaxb.decnet@utadnx.cc.utexas.edu ================================================================================ ------
dhesi@bsu-cs.UUCP (Rahul Dhesi) (12/30/87)
In article <8712291637.AA21265@ucbvax.Berkeley.EDU> "NTVAXA::AC02" <ac02%ntvaxa.decnet@utadnx.cc.utexas.edu> writes: > By the way UNIX security is real joke, VMS security is light-years better. I question this generalization. As simple illustrative examples, consider two points: a. On all UNIX systems I've ever used, I have always included one or more control characters or special characters in my password, making it impossible to guess using the dictionary approach. VMS complains of a syntax error when I do this. So under UNIX, I could take an easy-to-remember password like "indiana" and make it secure by changing a character to a control character, or inserting a special character, as in "indi^Ana" or "in&diana", without making it hard to remember. Under VMS I have to come up with some meaningless concoction like "kyep-morg-arrgh" which, while guaranteed pronounceable by VMS, is also guaranteed impossible to remember. b. Under UNIX, an unprivileged user can make a program available to the public yet any data files used by the program can be writable by the program but not directly writable by other users. Under VMS unprivileged users can't do this, so they have to "hide" their files by giving them long names, and hope nobody figures out these names. Once in a while I type "show device/files" and am amused to see such files listed there for all to see. This is not meant to start another UNIX/VMS war but any time you make such a rash generalization you are inviting counter-examples. -- Rahul Dhesi UUCP: <backbones>!{iuvax,pur-ee,uunet}!bsu-cs!dhesi
rrk@byuvax.bitnet (12/31/87)
Any simple subsitution of "^A" for "A" in a password is easily guessed. You can use non-alphabetic characters such as "$" or "_", and probably others, but this is "light years" behind generated passwords. I use generated passwords (ten digit) all the time. I've never had trouble periodically memorizing a new password generated by VMS. And it sure helps prevent many security problems with user-generated passwords. I'll bet I could watch over your shoulder while you type "Indiana" and even see how many times your finger brushes the control key and try a few variations and be in. But I have yet to have anyone--even several who have tried--glance and pick up my generated password as I've typed it in. It may be a little harder for me to remember, but it'll be a lot harder for someone who sees it for the first time and never sees it all echoed together. Just so you won't be dissappointed: UNIX Security? BOO HISS!
simpsong@ncoast.UUCP (Gregory R. Simpson @ The North Coast) (01/08/88)
In article <48rrk@byuvax.bitnet> rrk@byuvax.bitnet writes: >Any simple subsitution of "^A" for "A" in a password is easily guessed. >You can use non-alphabetic characters such as "$" or "_", and probably >others, but this is "light years" behind generated passwords. I use generated >passwords (ten digit) all the time. I've never had trouble periodically >memorizing a new password generated by VMS. And it sure helps prevent many >security problems with user-generated passwords. > ... I could break-in and you couldn't deleted ... There is one big problem with generated passwords. If the casual user is forced to use a 10-digit nonsense password, often they will just Write it down. Presto, you don't even have to watch them type at the keyboard... all you have to do is open their desk drawer and read it off of their memo pad... -grs -- --- Gregory R. Simpson Prefered Internet: SIMPSONG%ATD1.decnet@ge-crd.arpa or Alternate Internet: necntc!ncoast!simpsong@harvard.HARVARD.EDU UUCP: <BACKBONE>!cbosgd!ncoast!simpsong UUCP: {ames,mit-eddie,harvard,talcott}!necntc!ncoast!simpsong UUCP: {well,sun,pyramid,ihnp4}!hoptoad!ncoast!simpsong CSNET: ncoast!simpsong@CWRU.EDU (CSnet)