Conference noted::hackers_v1

    
    How about
    
    $MC AUTHORIZE
    UAF> mod xyz/nopassword
    
    or are you looking somthing that unprivileged user could do?

    Sorry, but it must be for non-privileged users.
    
    I'm primarily looking for a way to do it with the SET PASSWORD command,
    but any other way for non-privileged users is fine.
    
                                                           Thanks alot.
    
                                                               Nate.
    

    I wouldn't count on finding a way for a non-priv'd user to do it.
    Allowing such qualifies as a rather large security hole.  I'm sure
    something could probably be hacked up to do it but why do you want
    to?

    It would be trivial to write something to be installed with SYSPRV
    that would just "fix" the SYSUAF record of the current user, but
    why?

    The reason I would like to set a null password is to assist in the
    modem testing on our system. I need it non-privileged so I can set
    the password on and off as I need to.
    
    It's also good to have as other reasons come and go.
    
    I don't expect someone to write code for it. I was just seeing if
    their was a quick & dirty way to do it like on the old versions
    of VMS.

                                                Happy Thanksgiving.
    
                                                    Nate.
    

    I haven't tried this in a while, but you used to be able to simply
    type return at the "new password" and "verification" prompts.

    Of course, the minimum password length would have to be 0 in the UAF.

    If you try it, let us know if it works...

    
    Pressing <RETURN> in answer to the "New password: " and
    "Verification: " prompts yields the "Minimum password length is
    xxx / Password not changed" error message. My minimum password length
    is 8, so I don't know what happens if you have a minimum password
    length of 0.
    
    I don't know if you people know this or not, but I was reading an
    old Hackers note the other day and found a way to have passwords
    shorter than your authorized minimum length:
    
    $ SET PASS
    Old password: <OLD PASSWORD>
    New password: <NEW PASSWORD>UUUUUUUUUUUUUUUUVVVVVVVV
    Verification: <NEW PASSWORD>UUUUUUUUUUUUUUUUVVVVVVVV
    $
    
    If you had, for example, a minimum password length of 6, and you
    wanted your password to be "A" you would type:
    
    AUUUUUUUUUUUUUUUUVVVVVVVV for a New password.
    
    If I wanted my password to be my initials (NRP) I would type:
    
    NRPUUUUUUUUUUUUUUUUVVVVVVVV for a New password.
    
    This will work even though I have a minimum password length of 8.

    In summary, you type your desired password, followed by 16 U's and
    8 V's. The author of the note telling this says it screws up the
    password's encryption algorithm.
    
    Keep in mind that this is someone else's hack. I'm not trying to
    steal any credit.
    
                                                  Thanks for trying,
    
                                                      Nate.
    

    If you are doing some kind of testing, I don't see why you couldn't
    do like somebody said, and just ask your system manager to set your
    min password length to 0 for until you are done your testing.
    
    

    Re: .6
    
    There is a subtle difference between a NULL password by typing RETURN
    at the "New Password" prompt, and having NO password by setting an
    account /NOPASS in authorize.
    
    The former STILL prompts for the password on login!
    
    mb

    RE: .9, no it doesn't. If your PWDMIN field in the UAF is set to
    0, you can type return as input to set password, and loginout will
    not prompt for Password:. Same with setting /NOPASSWORD in authorize.
    
    I have to agree that the 16 x U + 8 x V thing seems to work, though
    not for nul passwords. We must have a mathematician out there somwehere.
    
    Brendan.

    p.s. has anyone got a copy of the password decryption program?

    
    I don't think there _is_ a way of decrypting VMS passwords - the
    encryption is not reversible. When you log in, I think the password you
    type gets encrypted and compared with the encrypted one stored in the
    UAF. 
    
    Trev
     

re: .10, .11
The password algorithm isn't invertible "in the weak sense" because the
encrypted password is shorter than the original - information is lost, so
many passwords produce the same encryption.  Thus, it isn't possible, even
in principle, to always recover the original password.  (In principle, it
is POSSIBLE that all but one encrypted value comes from a unique password,
and that all the rest of the possible inputs encrypt to the same, remaining
value.  Obviously, if this were true, you wouldn't want to use the particular
encryption algorithm.  We also KNOW that it's not true in exactly this from
becuse of the 16 U's - 8 V's trick, which, BTW, it due to Eric Osman.)

The password algorithm is BELIEVED to be uninverible "in the strong sense"
that, given an encrypted password, it is BELIEVED to be very difficult to
find the original password it came from - "very difficult" meaning that you
might as well just try all possible passwrods and see which ones produce
the right encryption.  Note the "BELIEVED":  If P=NP, NO password algorithm
can be uninvertible in this sense.  Even if P != NP, as is widely assumed, I
know of no proof that the algorithm used isn't invertible if you are just
clever enough - though I also know of no one who claims to know how to do it.

If E(P) is the encryption of the password P, then what is stored in your
UAF entry is E(Correct-password).  When you log in, you enter password
Try.  LOGINOUT computes E(Try) and compares to E(Correct-Password); if they
match - which they certainly will if Try equals Correct-Password! - you are
in.  LOGINOUT need not be able to compute your actual password.

							-- Jerry