Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!bellcore!epic!karn
From: karn@epic.bellcore.com (Phil R. Karn)
Newsgroups: comp.org.eff.talk
Subject: Re: stealing passwords is easy!
Message-ID: <1991Jun12.191551.7844@bellcore.bellcore.com>
Date: 12 Jun 91 19:15:51 GMT
References: <14906.28501E22@fidogate.FIDONET.ORG>
Sender: usenet@bellcore.bellcore.com (Poster of News)
Reply-To: karn@thumper.bellcore.com
Organization: Packet Communications Research Group (Bellcore)
Lines: 28

In article <14906.28501E22@fidogate.FIDONET.ORG>, david.turrell@f111.n125.z1.FIDONET.ORG (david turrell) writes:
|> I remember a WYLBUR system whose teletypes echoed the password. After typing a
|> "mask" of G's on top of W's on top of M's. Then people left the printout lying
|> around; didn't even bother to throw it away when they left.
|>  

Yes, back at Cornell in the middle 70's I demonstrated a similar
attack against VM/CMS passwords.  As a typical IBM mainframe system,
VM/CMS operated in half duplex (virtual 2741 mode), so it had no way
of directing a terminal to suppress echo as a password was typed in.
So a series of overstruck characters were printed as part of the
prompt in an attempt to mask the password. I'm not sure now, but I
think the characters were S, M and *.

Printing terminals, particularly the dot-matrix kind (Decwriters and
Silent 700-class thermal printers) were of course the standard in
those days. I noticed that a few dots in the matrix were left unhit by
the mask characters in the font used by at least one dot matrix
printer (the NCR terminal in my room, used by many other members of my
fraternity, including one with system programmer privileges).

Given a "masked" password from the trash I discovered I could easily
narrow down the possible letters for each position within the password
by examining the matrix dot positions left clear by the password mask.
Since the passwords were only four characters long to begin with, it
didn't take long to determine the right one by trial and error.

Phil