Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!mailrus!tut.cis.ohio-state.edu!ut-sally!utah-cs!utah-gr!stride!tahoe!unsvax!jimi!stevie!robert
From: robert@stevie.cs.unlv.edu (Robert Cray)
Newsgroups: comp.unix.wizards
Subject: passwords (was Re: 60-second timeout in Unix login)
Message-ID: <754@jimi.cs.unlv.edu>
Date: 3 Mar 88 03:07:20 GMT
References: <12035@brl-adm.ARPA>
Sender: news@jimi.cs.unlv.edu
Reply-To: robert@jimi.cs.unlv.edu (Robert Cray)
Followup-To: sci.crypt
Organization: University of Nevada, Las Vegas
Lines: 26

In article <12035@brl-adm.ARPA> rbj@icst-cmr.arpa (Root Boy Jim) writes:
>It is interesting that people's ideas on security are often wrong.
>For example, some people around here think that having different
>passwords on different machines provides better security than
>using the same one for all machines! It just ain't so.
>

But suppose you have an account on your machine, and an account on my
machine.  I modify login on my machine to record your password.  I then
try it on your machine.  If all machines are administered by a single
entity, you are of course correct.  Also, supposed you have accounts
on unix machines, where the password file is readable, and accounts on
vms machines, where it is not.  If your unix password is in websters,
I can get it.  Not so with vms, unless there is another security problem.

Apparently I was wrong about vms 4.7 and remembered passwords, 4.7 is
here, and it doesn't remember them.  As many people have pointed out
however, it would certainly be possible to impliment with no loss in
security.  VMS uses one of several encryption algorithms, using two
salts, one of them random, and one based on the username.  Thus if
you copy the encrypted password from your account to mine, it won't
work.  What this gets you I have no idea.  Remembering the last 6
passwords would only involve adding space to keep them in the password
file, and encrypting the would-be password with each of the 6 salts
and comparing the encrypted passwords. 

					--robert