| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 114.1 | | REX::MINOW | | Fri Apr 26 1985 19:10 | 4 |
| Now, that's a hack. Does it generalize to N-letter passwords?
I.e., can I set my password to FOO?
Martin.
|
| 114.2 | | GOLLY::GILBERT | | Sat Apr 27 1985 05:14 | 1 |
| Ayup, it generalizes. Just follow the 'normal' password with 16 Us and 8 Vs.
|
| 114.3 | | APACHE::SYSTEM | | Sun Jun 02 1985 14:33 | 10 |
|
You can get a now letter password in vms V3.7 by the
following
$set password
OLD PASSWORD: type old pass
NEW PASSWORD: hit escape
VERIFICATION: hit escape
You will now be able to log on directly from USERNAME:...
|
| 114.4 | | PARVAX::PFAU | | Mon Jun 03 1985 13:04 | 3 |
| Why escape? Why not return?
tom_p
|
| 114.5 | | EDSVAX::CRESSEY | | Tue Jun 04 1985 16:18 | 4 |
| If you type return it will call your entry a blank line,
ignore it, and reprompt. Try it!
Dave
|
| 114.6 | | PARVAX::PFAU | | Wed Jun 05 1985 12:25 | 8 |
| I just tried it and I've done it before. I enter my old password, get
the 'New password:' prompt and hit a carriage return. It then prompts
me for 'Verification:'. I hit return again. 'SET HOST 0' and log in
with just a username.
I tried this on OBIWAN which is still running V3.7.
tom_p
|
| 114.7 | | GLIVET::DIAMOND | | Wed Jun 05 1985 18:05 | 5 |
| Sure... You don't HAVE to have a password. That's what happens when you
set your password to an empty string. I don't think this works, though, if
you have a minimum password length set in the UAF
Dave
|
| 114.8 | | PARVAX::PFAU | | Wed Jun 05 1985 20:43 | 4 |
| But there is no minimum password length on VMS V3.7. If the <ESC>
trick works on V4, I think it's a security hole and should be QARed.
tom_p
|
| 114.9 | | GLIVET::DIAMOND | | Thu Jun 06 1985 13:48 | 4 |
| I'm on V4.1 and have a pwdminimum set to 6. I tried setting my password
with an escape and it didn't work.
Dave
|
| 114.10 | | EDSVAX::CRESSEY | | Thu Jun 06 1985 15:12 | 8 |
| RE .5 & .6:
BOY, IS MY FACE RED! That'll teach me to respond from memory.
My response (.5) about blank lines appears to be totally inaccurate.
Please ignore it.
Dave
|
| 114.11 | | SPRITE::MCVAY | | Sat Jun 08 1985 22:13 | 1 |
| Ignore what?...
|
| 114.12 | | GLIVET::DIAMOND | | Mon Jun 10 1985 11:58 | 3 |
| His response (.5) about blank lines, which appears to be totally inaccurate.
Dave :`)
|
| 114.13 | | LSMVAX::BLINN | | Mon Jun 17 1985 00:39 | 8 |
| So, what happens if you set your password to UUUUUUUUUUUUUUUUVVVVVVVV
(that is, 16 "U"s followed by 8 "V"s)? Does this result in no password
at all, or make you actually enter a real password of this 24 character
string? Also, anyone going to offer the explanation of why the "U"s and
"V"s cancel one another out (presumably the one-way encryption algorithm
in VMS V4.x)?
�#6�[1mTom�[0m
|
| 114.14 | | JON::MORONEY | | Mon Jun 17 1985 13:54 | 4 |
| No, it doesn't work. I guess VMS is smart (dumb?) enough to know that you
didn't enter a password, therefore to deny access.
-Mike
|
| 114.15 | | TAHOE::JENSEN | | Tue Jun 25 1985 23:24 | 30 |
| To understand why this and other password tricks work, it is necessary
to understand how the password encryption algorithm works.
Basically, a text string is mapped to a quadword in a (hopefully)
non-reversible manner. This quadword is what is stored in the
UAF file. The entire process is fairly complex, and actually takes
three inputs (password, username, time) to produce its output.
One key part of the algorithm is to collapse the password string into
a quadword (not the final quadword). This is done by the following
algorithm:
let s[1..n] be a string of n characters (the password), and
r[0..7] be a quadword composed of 8 bytes
Then r[i] = sum( s[k] | (k mod 8) = i), where 0 <= i <= 7, 1 <= k <= n
In other words, every eighth character in the input string is summed
into the same byte of the quadword, using byte arithmetic (i.e. no overflow
into adjacent bytes). In the case of xU*16V*8, this works out to
r[1] = x + U + U + V = x + 85 + 85 + 86 = x + 256 = x
r[k] = U + U + V = 85 + 85 + 86 = 256 = 0, for k = {0,2,3,4,5,6,7}
which explains why this hack (and many others) works.
For more details, look up HPWD.MAR in the VMS source distribution.
/X�[5m�(0f�[0m�(BM
|
| 114.16 | | JRDV03::GILBERT | | Wed Jun 26 1985 11:08 | 7 |
| Lest any hackers think that .-1 tells the whole story, ...
The reason for mashing the password string into a quadword is so that
a trap-door function can be applied to it. There seems to be no good
way to 'crack' this trap-door function -- the cost is either prohibitive
in space or time, or both (you could just calculate the trap-door function
for all 2^64 different passwords, and crack it with a table look-up).
|
| 114.17 | Trap door function; what's that? | SMAUG::GARROD | | Sat Apr 12 1986 02:06 | 5 |
| re .16
What's a trap door function?
Dave
|
| 114.18 | Trapdoors easy to fall thru, hard to get back! | TLE::BRETT | | Sat Apr 12 1986 03:36 | 11 |
|
A "trapdoor" function is a function F:DOMAIN->RANGE such that the
inverse of F is extremely difficult to compute.
By storing F(PASSWORD) and comparing it to F(GUESS) (rather than
by storing the password and comparing it to the guess) you make
it practically useless to have read access to the list of stored
F(PASSWORD)'s.
/Bevin
|
| 114.19 | Trap door example | SKYLAB::FISHER | Burns Fisher 381-1466 | Mon Apr 14 1986 02:21 | 11 |
| re .18: Example of a trapdoor function is prime factors. If
g = F(x,y)
where F is defined as a function on the domain of prime numbers
which results in their product, it is very easy to compute g given
x and y, but extremely hard to compute x and y (assuming they are
large).
Burns
|