Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!umd5!purdue!i.cc.purdue.edu!j.cc.purdue.edu!pur-ee!iuvax!bsu-cs!cfchiesa From: cfchiesa@bsu-cs.UUCP (Christopher F. Chiesa) Newsgroups: comp.os.vms Subject: Re: USER ID PASS VALIDATION ON VMS Message-ID: <1740@bsu-cs.UUCP> Date: 23 Dec 87 08:35:10 GMT References: <8712192213.AA27374@ucbvax.Berkeley.EDU> <13592@beta.UUCP> Organization: CS Dept, Ball St U, Muncie, Indiana Lines: 35 Summary: Pulling hashed passwords... In article <13592@beta.UUCP>, mbr@beta.UUCP (Mike Rose) writes: > In article <8712192213.AA27374@ucbvax.Berkeley.EDU> IMHW400@INDYVAX.BITNET writes: > >May I point out that, if HPWD is documented then the security hole is already > >there. Anybody with access to the 'fiche can just recode it. > > That is not true. The hole is only there when you can somehow inquire > if a password is correct for a particular username. A non-privileged > user recoding the algorithm has nothing, since they cannot obtain the > hashed version of the correct password from the uaf. > Oh, really? A college sophomore here at BSU sent me a mail message one day saying "run such-and-such program in my area..." - I ran it and was shown the binary string representing the hashed version of my password. It would be simplicity itself for that program to just happen to write said password, along with my username, into a log file. Anyone with access to the file could then run the program on their OWN area, reading their OWN password, play with their password until their bit-pattern matched MY bit-pattern, and have a valid password to use to log into my account. Sort of "reverse engineering," but there is some evidence lately (mysterious breakins to user accounts) that it works... And, incidentally, a file which could be written in that sophomore's directory, by his program run from MY username, would of necessity have RW access to my username; if he were to unleash this thing on the "public" (say, as an unannounced adjunct to a "public-access" program, of which there are probably hundreds here), that would imply W:RW access, meaning that soon there'd be a file full of passwords that EVERYONE could peek into at leisure. BIG security hole, if you ask me. Incidentally, I DID mean to say "A valid password..." above, rather than "THE..." -- this soph and I verified that I obtained the SAME bit-pattern from TWO slightly-different passwords, and that EITHER password would allow access to my account after using SET PASSWORD to set EITHER of them as my "real" password. Hole, hole, HOLE!!! Chris Chiesa ..!rutgers!iuvax!bsu-cs!cfchiesa