Path: utzoo!mnetor!uunet!husc6!rutgers!ames!ucbcad!ucbvax!INDYVAX.BITNET!IMHW400 From: IMHW400@INDYVAX.BITNET Newsgroups: comp.os.vms Subject: USER ID PASS VALIDATION ON VMS Message-ID: <8712192213.AA27374@ucbvax.Berkeley.EDU> Date: 19 Dec 87 19:53:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 37 Mike Rose writes: >I doubt that is the case. It is very easy to do, provided you leave >a security hole. The routine HPWD.MAR in the fiche will hash a >password, this can then be compared to the password(s) in the UAF >with the $getuai system service. The security hole is that someone >can then try lots of different passwords for a username without the >intrusion detection system getting fired up or the attempts being logged. > >HPWD.MAR is documented.... May I point out that, if HPWD is documented then the security hole is already there. Anybody with access to the 'fiche can just recode it. It is not possible to defend a published algorithm by simply by making one realization of it hard to get at. Note that DEC could easily provide a system service to validate access information, that *would* trigger the intrusion detection system if necessary. It is difficult to conceive a legitimate use for such validation that would be harmed by such detection; most applications would do well to log such events. }flame on{ If DEC would implement logged validation, and *finish* the implementation of SETUAI (so that one could make *new* SYSUAF entries with properly hashed passwords, given sufficient privilege), then only crackers would have more than academic interest in this poor little routine, obviating further explanation. As it is, there must be hundreds of programmers trying to figure out how to use HPWD for their legitimate applications, which surely must increase our exposure to illegitimate uses. }flame off{ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mark H. Wood (317)274-0749 Indiana University - Purdue University at Indianapolis 799 West Michigan Street, ET 1023 Indianapolis, IN 46202 USA [@disclaimer@]