24 Apr
2007
24 Apr
'07
6:18 p.m.
Richard wrote:
Lots of systems made that error. For instance, RSTS/E
stored the
passwords in cleartext and you could list them out if you were a
privileged (1,*) user. I discovered that when you submitted a batch
job through the @ processor, it ran as user batch on account (1,2).
So it wasn't too hard to submit a batch job that ran the ACCOUN
program to list out the passwords.
Jerome Fine replies:
Perhaps Zane is following this thread or anyone else
who knows VMS well. I seem to remember that the
userid / password were placed through the same algorithm
as the stored values. The results were compared and
that was what produced a match. In addition, I also
understand that it was impossible to reverse the results
of the "encryption" algorithm. And with later versions
of VMS, the choice of the password was restricted, possibly
to a string produced at random by VMS itself; this latter
feature prevented users from having the name of a special
individual as the password.
Does anyone know of any other operating system which requires
secure passwords along with storing only the encrypted
equivalents of the userid / password?
Sincerely yours,
Jerome Fine
--
If you attempted to send a reply and the original e-mail
address has been discontinued due a high volume of junk
e-mail, then the semi-permanent e-mail address can be
obtained by replacing the four characters preceding the
'at' with the four digits of the current year.