[comp.os.vms] Response to <8712192213.AA27374@ucbvax.Berke>

mbr@beta (01/04/88)

In article <1740@bsu-cs.UUCP> cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa) writes:
>Oh, really?  A college sophomore here at BSU sent me a mail message one day
>saying "run such-and-such program in my area..." - I ran it and was shown the
>binary string representing the hashed version of my password.  

Of course: the hashed password that you can get from $getuai is the
password for the username running the program, not the password for
the username that wrote the program.  (btw, running a college sophomore's
program without knowing exactly what it does is probably not a real
good idea, unless done from a username with no privs, no files you
aren't willing to have destroyed, etc. or unless you really trust
the sophomore.)

>Anyone with access to the file 
>could then run the program on their OWN area, reading their OWN password, 
>play with their password until their bit-pattern matched MY bit-pattern,
>and have a valid password to use to log into my account.  

This won't work.  Part of the hashed password is your username.
Two usernames with the same password will have different hashed
passwords.  There is also a random number (the "salt") mashed
in there.

>if he were to unleash this thing on
>the "public" (say, as an unannounced adjunct to a "public-access" program,
>of which there are probably hundreds here), that would imply W:RW access,
>meaning that soon there'd be a file full of passwords that EVERYONE could 
>peek into at leisure.  BIG security hole, if you ask me.

The "big security hole" is everyone running just any old 
"public-access program".  I also think you exaggerate the ease of
somehow inverting hashed passwords to give plaintext.  The algorithm
was designed to make this difficult.  If you have some insight into
how to do this or examples of it being done I'd like to hear them.


>this soph and I verified that I obtained the SAME bit-pattern
>from TWO slightly-different passwords, and that EITHER password would allow
>access to my account after using SET PASSWORD to set EITHER of them as my
>"real" password.  Hole, hole, HOLE!!!

I'm real curious about this.  Would you send me details?

-Mike Rose
mbr@lanl.gov

mbr@beta (01/04/88)

In article <9909@ufcsv.cis.ufl.EDU> jmb@beach.cis.ufl.edu (John M Boof) writes:

>Ah, but GETUAI will give the hashed password and all UAF information for
>any user in your Group ID (UIC) - at least on the VAXes I have used.


According to the system services reference manual that is only
true if you have the privilege GRPPRV.  

I tested this under VMS 4.6 and it is implemented as described 
in the manual.  Does everyone have GRPPRV on your VAXen?  


Mike Rose
mbr@lanl.gov