Path: utzoo!mnetor!uunet!husc6!think!ames!aurora!labrea!decwrl!ucbvax!vaxb.rhbnc.ac.UK!CHAA006 From: CHAA006@vaxb.rhbnc.ac.UK Newsgroups: comp.os.vms Subject: VMS security Message-ID: <8801201137.AA00590@ucbvax.Berkeley.EDU> Date: 19 Jan 88 12:08:50 GMT Sender: daemon@ucbvax.BERKELEY.EDU Reply-To: Philip Taylor (RHBNC, Univ of London) Organization: The ARPA Internet Lines: 22 I believe I have discovered a serious loophole in VMS security. If breakin- detection is in force, and a user enters his/her username incorrectly, without noticing the error, then enters the correct password, that password can appear on the operator console and in the operators' log. This occurs when the same, incorrect, username is entered sufficient times for breakin-detection to become activated. As it is not unknown for system managers to reduce the detection limit to two, the appearance of such passwords, in clear, is a distinct possibility. For example, a user changes his/her password; later, on logging-in, mis-types the username (but doesn't notice the fact), and enters the old password; sees "Invalid username/password", and remembers that he/she has a new password; uses / to recall the username (to save re-typing it), then enters the new, correct, password. Breakin-detection is set at two, and the correct password, plus the username with perhaps a single error in it, appear in clear. An unlikely scenario ? Well, it happened to me, yesterday ! Since for common privileged usernames such as SYSTEM, it would typically be the work of a moment to guess the mis-typed username, system security can be seriously compromised. Furthermore, anything which results in a valid password being stored and displayed in clear is a serious breach of the zeroth rule of system security. ** Phil.