Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!lll-lcc!styx!ames!ucbcad!ucbvax!bruceb@sdcsvax.ucsd.edu@telesoft.UUCP
From: bruceb@sdcsvax.ucsd.edu@telesoft.UUCP
Newsgroups: mod.computers.vax
Subject: Re: PASSWORD VERIFICATION PROCEDURES
Message-ID: <8702111847.AA05802@sdcsvax.UCSD.EDU>
Date: Wed, 11-Feb-87 13:47:25 EST
Article-I.D.: sdcsvax.8702111847.AA05802
Posted: Wed Feb 11 13:47:25 1987
Date-Received: Fri, 13-Feb-87 00:16:05 EST
References: <8702100603.AA02948@ucbvax.Berkeley.EDU>
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 27
Approved: info-vax@sri-kl.arpa

> The following piece of DCL works fine and does not require publishing
> anything about the encryption formulas.  It also logs bad passwords
> as logfails inthe accounting files, making it possible to trace
> breakin attempts.
>  
> $!  first we prompt for the username and password
> $ inquire name "Username"
    ^^^^^^^^^^^^
      bad news (and worse for 'inquire pwd' in original posting!)

> In conjunction with ACL protection, it makes for
> a very tight procedure.
>  
> Leo Geoffrion, Skidmore college
>    GEOFFRIL@UNION.BITNET
>  

While your basic idea is okay, you have placed one grevious fault in
your DCL file!  INQUIRE <symbol> places the user's answer in the
command line recall buffer.  If the user were to run your COM file as
you have it written, another knowledgeable user could just drop by
and press the 'up arrow' key a couple of times to find the password!

Use READ rather than INQUIRE.  INQUIRE is massively unsafe for this
type of use.  READ will not leave it around to be picked up.  Please.

bruce