24 Apr
2007
24 Apr
'07
8:43 p.m.
On 4/24/07, Ray Arachelian <ray at arachelian.com> wrote:
These were also "salted" which means that
the OS would pick some random
byte to prevent dictionary brute force attacks against passwords. Not
sure if VMS had salted passwords.
My memory from working on COMBOARD software under VMS v3.x, v4.x, and
v5.x was that perhaps it did or didn't use salted password under v3,
but that under v4 and v5 it certainly did. Since our product could
submit take files received over the bisync or SNA link and submit them
to the VMS Batch queue long before there was a documented technique to
do so, we had to hash user-supplied passwords and compare them to what
was in the password file ourselves to ensure the user was authorized
to submit those jobs. ISTR that eventually, sometime after VMS 5.0,
it was possible to hand a plaintext password and username to a system
service call and confirm that the password was valid for that user. I
don't think you could get the hash back to inspect it, but the
important part was that you could make that check.
With enough time, I could probably dig up our code, c. 1983-1984, for
the one-way hash function. Over the timeframe we were doing it, I
also seem to recall that VMS did it more than one way, or at least we
had to make changes in how we did it at least once between 1981 and
1993.
-ethan