Path: utzoo!mnetor!uunet!lll-winken!netsys!tsl
From: tsl@netsys.UUCP (Tom Livingston)
Newsgroups: sci.crypt
Subject: Re: Unix Password Hacker
Message-ID: <5877@netsys.UUCP>
Date: 26 Feb 88 03:58:53 GMT
References: <731@ddsw1.UUCP> <657@morningdew.BBN.COM> <1368@homxc.UUCP> <739@ddsw1.UUCP> <1118@uop.edu> <2584@crash.cts.com>
Reply-To: tsl@netsys.UUCP (Tom Livingston)
Distribution: na
Organization: NetSys Public Access NetWork,Germantown,Md.
Lines: 43
Keywords: passwords accounts assigned passwords
Summary: Not as useless as it may seem.

In article <2584@crash.cts.com> jkimble@crash.CTS.COM (Jim Kimble) writes:
>In article <1118@uop.edu> todd@uop.edu (Dr. Nethack) writes:
>>
>>In another place I worked the new semester was the best time, as all
>>the new accounts had the password of "nopassword".
>>
>>So if you played around, you could find some accounts by the lazy people
>>who did not bother to drop by the lab for the first two weeks.
>>
>
>But what purpose does this serve?  The first time the owners of the accounts
>try to login and find they can't, they're going to make a phone call to the
>data processing people who will just assign a new password right there over
>the phone.

	Really?  Now, first off, anybody who knew anything of what they
were doing would not change the password, and just log in with it when 
they wanted to use it.  Second -- This would be a definate opportunity
for the more prankish to post rude messages, confuse things, and generally
wreck havoc for the day (until it would be taken away due to those actions).
Third --  They would assign a new password over the phone?  I doubt this,
as 'anyone' could just call up, claiming to be someone else, and have their
password changed.  Bingo, they have the account.

>
>All this would really do is give you an additional UNIX account for a week
>or two.  I doubt the students have any more access then anyone else.

	I believe the teachers would also get their passwords this way.
Surely some of the less computer enthusiastic would not use thier accounts
for the first week, if at all.  At a school I was associated with, they
had the policy of issuing accounts to all faculty.  Now, I would say 1 in
10 of the faculty would actually use the accounts, the rest would be left
unpassworded, even worse than all accounts having a 'nopassword' password.
What made it even worse is that the other faculty didn't realise this, and
would leave group read permissions set, even on things like tests and
quizes...  I know of some people who got A's before that was discovered :-)

>--Jim Kimble
                                                _____________
                                                  /  
                                               --/ __ _______
                                              (_/ (_) / / / <_ Livingston
                                              { decuac,ihnp4 }!netsys!tsl