| T.R | Title | User | Personal Name
 | Date | Lines | 
|---|
| 3058.1 |  | STAR::MFOLEY | Rebel without a Clue | Wed Jul 11 1990 09:31 | 8 | 
|  | 
	Corporate Policy states that all employees should have their
	own account for which they are solely responsible. Why not just
	give them all seperate accounts? Secondary passwords on shared
	accounts doesn't make any security sense.
								mike
 | 
| 3058.2 |  | TLE::REAGAN | Bo knows Pascal | Wed Jul 11 1990 17:15 | 7 | 
|  |     Also having primary/secondary passwords makes more sense when
    two people have to type in one of the passwords and neither knows
    both.  If one person types in both passwords, then that is no
    more secure than having one long primary password that is the
    concatentation of both primary/secondary passwords.
    
    				-John
 | 
| 3058.3 | Two are better than one. | JOCKEY::BEETHAMM | Mike Beetham @EOO DTN = 850-3292 | Thu Jul 12 1990 03:31 | 10 | 
|  |     The statement that one long password is as secure as two short ones
    is not strictly true. Because VMS maps a password to a long word
    the password is not unique. (For example aaaaaaaabbbbbbbb is equivalent
    to bbbbbbbbaaaaaaaa as a password. that is if one of these is set
    as a password the other password will be accepted by VMS). Thus
    if security is measured as the number of random attempts needed
    to guess the password successfully two short passwords will require
    much more guessing than one long one.
    
           Mike 
 | 
| 3058.4 | Clarification | CRBOSS::LEMONS | And we thank you for your support. | Thu Jul 12 1990 17:04 | 11 | 
|  | Re .1-.3.  Woops, my mistake.  The 'secondary password' scheme I referred to
in .0 is not the VMS documented secondary password scheme.
We have a captive group account that runs an internally-generated program, that
prompts for a user/password pair, which is verified against a data file.  It's
this second 'username' prompting that is hanging the login/creation of the
DECwindow processes.
Now, any thoughts?
tl
 | 
| 3058.5 |  | KONING::KONING | NI1D @FN42eq | Thu Jul 12 1990 18:46 | 8 | 
|  | The same criticism applies.
As for .3: If the password is good, then it takes 2 billion tries to find
it by exhaustive search.  (Or is the has a quadword?  2 billion is for
a longword.)  So your statement is correct but it doesn't make any
practical difference.
	paul
 | 
| 3058.6 | <This is getting ACADEMIC> | JOCKEY::BEETHAMM | Mike Beetham @EOO DTN = 850-3292 | Fri Jul 13 1990 04:26 | 10 | 
|  |     I agree with Paul's comment that my comment on passwords is largely
    theoretical. However there are ways of getting at passwords other
    than exhaustive search as I know from personal experience of fighting
    hackers in an Academic environment. In that situation I found secondary
    passwords a useful further protection to standard constraints on
    the passwords people use. (Also I guess Paul is right; our passwords
    are quadwords which suggests that properly constructed single passwords
    are very secure.)
    
    Mike.
 | 
| 3058.7 |  | PEACHS::MITCHAM | Andy in Alpharetta (near Atlanta) | Fri Jul 13 1990 10:44 | 20 | 
|  | Dispensing of the rathole about the use/non-use of secondary passwords and 
getting back to the original topic:
>We have a captive group account that runs an internally-generated program, that
>prompts for a user/password pair, which is verified against a data file.  It's
>this second 'username' prompting that is hanging the login/creation of the
>DECwindow processes.
Creating a DECterm via the session manager will run SYLOGIN.COM and LOGIN.COM
twice -- the first time as a mailbox (MB), the next as a terminal window (TW).  
It sounds as if your program is getting hung up with the MB device.  Try 
modifying your login to test what device is being used:
	$ if f$getdvi("sys$output","trm") .and. -
	  f$extract(1,3,f$getdvi("sys$output","devnam")) .eqs. "TWA" then -
	$ run internally_generated_program
Hope this helps...
-Andy
 | 
| 3058.8 | Could also look for DECW$DISPLAY and put up a dialogue box. | IO::MCCARTNEY | James T. McCartney III - DTN 381-2244 ZK02-2/N24 | Fri Jul 13 1990 11:32 | 19 | 
|  | 
Another suggestion would be to test for the DECW$DISPLAY logical and if
defined, have the program present a dialogue box asking for the password.
The question then becomes would you want to be nice and allow autologin to
occur for subsequent decterm creations? Or, would you want the user to 
respecify the password?
BTW. The code in .-1 will stop working with the release of DECwindow V3.
The device name for the pesudo-terminal will be changing. The new device is
named FTAx:. If you adopt such a scheme you might want to anticipate the 
change so all you users don't wonder what happened one day to cause everything
to break.
Also, I just noticed the test in .-1 does not run the program for normal VTxxx
terminals. It appears to assume the choice of either mailbox or decterm. What 
happens if someone hacks you by hooking up the console terminal?
James
 | 
| 3058.9 | It's a workaround... | PEACHS::MITCHAM | Andy in Alpharetta (near Atlanta) | Fri Jul 13 1990 12:19 | 12 | 
|  | Well, I provided the code in .7 more as workaround, not solution.  Of course,
if the program was, indeed, getting hung up with the mailbox, he could try
doing:
	$ if f$getdvi("sys$output","trm") .and. -
	  f$extract(1,2,f$getdvi("sys$output","devnam")) .eqs. "MB" then -
	$ exit
but then this would filter -all- mailboxes from the procedure.  This may or
may not be desired.
-Andy
 | 
| 3058.10 | K.I.S.S. | BOMBE::MOORE | Eat or be eaten | Fri Jul 27 1990 20:36 | 10 | 
|  |     There's no reason to look at physical device names at all!  The one
    condition you care about is whether this login is connected with a
    'command terminal'.
    
    All you really need is:
    
    $ if f$getdvi("SYS$COMMAND","trm") then do_secondary_password
    
    	[possibly combined with a test for (f$mode() .eqs. "INTERACTIVE")]
    
 |