Path: utzoo!mnetor!uunet!husc6!rutgers!ucla-cs!zen!ucbvax!FHCRCVAX.BITNET!JOE From: JOE@FHCRCVAX.BITNET (Joe Meadows) Newsgroups: comp.os.vms Subject: RE: 'security holes' Message-ID: Date: 28 Dec 87 17:24:00 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 30 > The question is: given an arbitrary hashed password can you easily >derive the origional? The fact is that *ANYONE* with access to the UAF can get >all the hased passwords for all the users on the system ... this does not give >you access to all the accounts however. A few years ago, I wrote a program to go through the UAF and find all users who had a specific password (seems a lot of universities give all their new accounts the same password). It would have been trivial to add a dictionary and search through each username against every word in the dictionary. While not fast, a majority of passwords would indeed be found out this way. This is one reason why DEC added SET PASSWORD/GENERATE option and the flag in the UAF for forcing a user to use generated passwords. I tried other popular passwords with the above program and found several privileged accounts. Since I could easily obtain all the privilege I ever wanted (this was under VMS V3.n) I never bothered used any of this info, however, I offered the program to the system administrators so they would be aware of the possible hole. They also used it to scold people who hadn't changed their password (or changed it back). Of course, if you can't get the info out of the authorization file then you're going to have a harder time with it. However, a lot of people write PD software with just such traps as described before, writing out the current users hashed password into a file.. Luckily, not all hackers have easy access to the micro-fiche, sadly some of the hackers on the evil side of the force do... Cheers, Joe Meadows joe@fhcrcvax.bitnet