Path: utzoo!mnetor!uunet!husc6!hao!ames!hc!beta!mbr
From: mbr@beta.UUCP (Mike Rose)
Newsgroups: comp.os.vms
Subject: Re: USER ID PASS VALIDATION ON VMS
Message-ID: <13592@beta.UUCP>
Date: 21 Dec 87 16:32:59 GMT
References: <8712192213.AA27374@ucbvax.Berkeley.EDU>
Reply-To: mbr@beta.UUCP (Mike Rose)
Organization: Los Alamos Natl. Labs, Los Alamos, NM
Lines: 20

In article <8712192213.AA27374@ucbvax.Berkeley.EDU> IMHW400@INDYVAX.BITNET writes:
>May I point out that, if HPWD is documented then the security hole is already
>there.  Anybody with access to the 'fiche can just recode it.  

That is not true.  The hole is only there when you can somehow inquire
if a password is correct for a particular username.  A non-privileged 
user recoding the algorithm has nothing, since they cannot obtain the
hashed version of the correct password from the uaf.  


>Note that DEC could easily provide a system service to validate access
>information, that *would* trigger the intrusion detection system if necessary.
>It is difficult to conceive a legitimate use for such validation that would
>be harmed by such detection; most applications would do well to log such
>events.

I agree.   

Mike Rose
mbr@lanl.gov