24 Apr
2007
24 Apr
'07
7:22 p.m.
At 9:18 PM -0400 4/24/07, Jerome H. Fine wrote:
No idea, sounds like that predates my VMS experience. I know there
were some holes in the pre-V5 days, but since V5 I think it's been
fairly secure.
I do know that at least with RSX-11M V4.2 it is possible to boot up
Richard wrote:
Lots of systems made that error. For instance,
RSTS/E stored the
passwords in cleartext and you could list them out if you were a
privileged (1,*) user. I discovered that when you submitted a batch
job through the @ processor, it ran as user batch on account (1,2).
So it wasn't too hard to submit a batch job that ran the ACCOUN
program to list out the passwords.
Jerome Fine replies:
Perhaps Zane is following this thread or anyone else
who knows VMS well. I seem to remember that the
userid / password were placed through the same algorithm
as the stored values. The results were compared and
that was what produced a match. In addition, I also
understand that it was impossible to reverse the results
of the "encryption" algorithm. And with later versions
of VMS, the choice of the password was restricted, possibly
to a string produced at random by VMS itself; this latter
feature prevented users from having the name of a special
individual as the password.
Does anyone know of any other operating system which requires
secure passwords along with storing only the encrypted
equivalents of the userid / password? from the console and dump the logins and passwords.
IIRC, they're
just plain text and you simply need high enough privileges to
view
the file.
Zane
--
| Zane H. Healy | UNIX Systems Administrator |
| healyzh at aracnet.com (primary) | OpenVMS Enthusiast |
| MONK::HEALYZH (DECnet) | Classic Computer Collector |
+----------------------------------+----------------------------+
| Empire of the Petal Throne and Traveller Role Playing, |
| PDP-10 Emulation and Zane's Computer Museum. |
| http://www.aracnet.com/~healyzh/ |