info-vax@ucbvax.ARPA (02/25/85)
From: *Hobbit* <AWalker@RUTGERS.ARPA> Can the default username for system initialization be changed somehow? This would allow *not* having a SYSTEM account for someone to try and break into. The way I see it now, you *must* have a SYSTEM account with full privileges. _H* -------
info-vax@ucbvax.ARPA (02/25/85)
From: Jerry Leichter <Leichter@YALE.ARPA>
Can the default username for system initialization be changed somehow?
This would allow *not* having a SYSTEM account for someone to try and break
into. The way I see it now, you *must* have a SYSTEM account with full
privileges.
_H*
-------
This hardly seems worth the trouble. Put an 8-character, randomly chosen
password on SYSTEM and you are safe as you are likely to get.
If you really feel that you want to do this, you might try setting the
SYSTEM account DISUSER. I doubt the startup job goes through any of the
normal login procedures, so it should not be affected. (I'd do this on
a removable pack, just to be sure I could put the world back together if
I failed.) That should keep people frustrated....though how it differs
from a good password is beyond me. (User tries to get in. Whether SYSTEM
exists and he has the wrong password, or it doesn't exist, or it exists,
he has the right password, but it is DISUSER'ed, he gets the same error
message. How is one more effective than the other?)
Also, there are other standard accounts - FIELD and DECNET come to mind.
Plus, it's usually a trivial matter to find out the names of a couple of
users on any system. Or guess that SMITH or JOHNSON is probably out there
somewhere.
-- Jerry
-------info-vax@ucbvax.ARPA (02/25/85)
From: Mike Iglesias <iglesias@uci-icsa> DISUSER is more effective because if the user manages to stumble on to the correct password, he still can't get on.
info-vax@ucbvax.ARPA (02/25/85)
From: Jerry Leichter <Leichter@YALE.ARPA>
DISUSER is more effective because if the user manages to stumble on
to the correct password, he still can't get on.
If an 8-character randomly chosen password it used, there is about as much
chance of the user "stumbling upon it" as there is that random errors in
memory will suddenly create a process running in the system account running
on the user's terminal. (Well, maybe that's an exageration; but if you
sat down and computed it, I'd bet that the chances of a memory error, not
detectable by the ECC logic, which turns on bits in the user's privilege
mask is in the same ballpark of probability as of guessing a random
password.)
If by "stumble upon" you mean that the user may see someone using it, there
is a simple solution: Let one person construct the random password, put
it in, never use it, never write it down, never tell anyone else what it
was.
When I say a "random password", I mean really random - not someone's name
or an English word or anything like that. Start any reasonable pseudo-
random number generator from the exact time of time, run for a thousand
steps, then use to select characters; that's as close to random as you
need. (Use a pseudo random number generator with a very long period.
See Knuth for tons of examples.)
The reason for saying "8 characters" is that the VMS password encryption
algorithm folds longer passwords down to 8 bytes anyway. (Actually, to
be exact, the result of the fold may not be equivalent to any actual
8-byte password, since there are a lot of bytes that can't be part of a
password as typed. So use 16 bytes if you want.)
Really, this is silly. Despite all the movies and TV shows that have
people with micros "trying all the passwords", systems simply cannot
be broken into this way. Passwords can be guessed if they are chosen
poorly - from too small a set of possibilities (English words, names,
output of a random number generator with a small period). They can be
compromised by a variety of means, ranging from watching people as they
type, to tapping phone lines, to bribery.
-- Jerry
-------info-vax@ucbvax.ARPA (03/04/85)
From: ulysses!clyde!watmath!utcsri!orton@BERKELEY (Ed Orton) On all our system running VMS all DEC default accounts are DISUSERED. This has no effect on the startup, and eliminates the security problem you suggest.