info-vax@ucbvax.ARPA (02/25/85)
From: *Hobbit* <AWalker@RUTGERS.ARPA> Can the default username for system initialization be changed somehow? This would allow *not* having a SYSTEM account for someone to try and break into. The way I see it now, you *must* have a SYSTEM account with full privileges. _H* -------
info-vax@ucbvax.ARPA (02/25/85)
From: Jerry Leichter <Leichter@YALE.ARPA> Can the default username for system initialization be changed somehow? This would allow *not* having a SYSTEM account for someone to try and break into. The way I see it now, you *must* have a SYSTEM account with full privileges. _H* ------- This hardly seems worth the trouble. Put an 8-character, randomly chosen password on SYSTEM and you are safe as you are likely to get. If you really feel that you want to do this, you might try setting the SYSTEM account DISUSER. I doubt the startup job goes through any of the normal login procedures, so it should not be affected. (I'd do this on a removable pack, just to be sure I could put the world back together if I failed.) That should keep people frustrated....though how it differs from a good password is beyond me. (User tries to get in. Whether SYSTEM exists and he has the wrong password, or it doesn't exist, or it exists, he has the right password, but it is DISUSER'ed, he gets the same error message. How is one more effective than the other?) Also, there are other standard accounts - FIELD and DECNET come to mind. Plus, it's usually a trivial matter to find out the names of a couple of users on any system. Or guess that SMITH or JOHNSON is probably out there somewhere. -- Jerry -------
info-vax@ucbvax.ARPA (02/25/85)
From: Mike Iglesias <iglesias@uci-icsa> DISUSER is more effective because if the user manages to stumble on to the correct password, he still can't get on.
info-vax@ucbvax.ARPA (02/25/85)
From: Jerry Leichter <Leichter@YALE.ARPA> DISUSER is more effective because if the user manages to stumble on to the correct password, he still can't get on. If an 8-character randomly chosen password it used, there is about as much chance of the user "stumbling upon it" as there is that random errors in memory will suddenly create a process running in the system account running on the user's terminal. (Well, maybe that's an exageration; but if you sat down and computed it, I'd bet that the chances of a memory error, not detectable by the ECC logic, which turns on bits in the user's privilege mask is in the same ballpark of probability as of guessing a random password.) If by "stumble upon" you mean that the user may see someone using it, there is a simple solution: Let one person construct the random password, put it in, never use it, never write it down, never tell anyone else what it was. When I say a "random password", I mean really random - not someone's name or an English word or anything like that. Start any reasonable pseudo- random number generator from the exact time of time, run for a thousand steps, then use to select characters; that's as close to random as you need. (Use a pseudo random number generator with a very long period. See Knuth for tons of examples.) The reason for saying "8 characters" is that the VMS password encryption algorithm folds longer passwords down to 8 bytes anyway. (Actually, to be exact, the result of the fold may not be equivalent to any actual 8-byte password, since there are a lot of bytes that can't be part of a password as typed. So use 16 bytes if you want.) Really, this is silly. Despite all the movies and TV shows that have people with micros "trying all the passwords", systems simply cannot be broken into this way. Passwords can be guessed if they are chosen poorly - from too small a set of possibilities (English words, names, output of a random number generator with a small period). They can be compromised by a variety of means, ranging from watching people as they type, to tapping phone lines, to bribery. -- Jerry -------
info-vax@ucbvax.ARPA (03/04/85)
From: ulysses!clyde!watmath!utcsri!orton@BERKELEY (Ed Orton) On all our system running VMS all DEC default accounts are DISUSERED. This has no effect on the startup, and eliminates the security problem you suggest.