| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 3058.1 | | STAR::MFOLEY | Rebel without a Clue | Wed Jul 11 1990 10:31 | 8 |
|
Corporate Policy states that all employees should have their
own account for which they are solely responsible. Why not just
give them all seperate accounts? Secondary passwords on shared
accounts doesn't make any security sense.
mike
|
| 3058.2 | | TLE::REAGAN | Bo knows Pascal | Wed Jul 11 1990 18:15 | 7 |
| Also having primary/secondary passwords makes more sense when
two people have to type in one of the passwords and neither knows
both. If one person types in both passwords, then that is no
more secure than having one long primary password that is the
concatentation of both primary/secondary passwords.
-John
|
| 3058.3 | Two are better than one. | JOCKEY::BEETHAMM | Mike Beetham @EOO DTN = 850-3292 | Thu Jul 12 1990 04:31 | 10 |
| The statement that one long password is as secure as two short ones
is not strictly true. Because VMS maps a password to a long word
the password is not unique. (For example aaaaaaaabbbbbbbb is equivalent
to bbbbbbbbaaaaaaaa as a password. that is if one of these is set
as a password the other password will be accepted by VMS). Thus
if security is measured as the number of random attempts needed
to guess the password successfully two short passwords will require
much more guessing than one long one.
Mike
|
| 3058.4 | Clarification | CRBOSS::LEMONS | And we thank you for your support. | Thu Jul 12 1990 18:04 | 11 |
| Re .1-.3. Woops, my mistake. The 'secondary password' scheme I referred to
in .0 is not the VMS documented secondary password scheme.
We have a captive group account that runs an internally-generated program, that
prompts for a user/password pair, which is verified against a data file. It's
this second 'username' prompting that is hanging the login/creation of the
DECwindow processes.
Now, any thoughts?
tl
|
| 3058.5 | | KONING::KONING | NI1D @FN42eq | Thu Jul 12 1990 19:46 | 8 |
| The same criticism applies.
As for .3: If the password is good, then it takes 2 billion tries to find
it by exhaustive search. (Or is the has a quadword? 2 billion is for
a longword.) So your statement is correct but it doesn't make any
practical difference.
paul
|
| 3058.6 | <This is getting ACADEMIC> | JOCKEY::BEETHAMM | Mike Beetham @EOO DTN = 850-3292 | Fri Jul 13 1990 05:26 | 10 |
| I agree with Paul's comment that my comment on passwords is largely
theoretical. However there are ways of getting at passwords other
than exhaustive search as I know from personal experience of fighting
hackers in an Academic environment. In that situation I found secondary
passwords a useful further protection to standard constraints on
the passwords people use. (Also I guess Paul is right; our passwords
are quadwords which suggests that properly constructed single passwords
are very secure.)
Mike.
|
| 3058.7 | | PEACHS::MITCHAM | Andy in Alpharetta (near Atlanta) | Fri Jul 13 1990 11:44 | 20 |
| Dispensing of the rathole about the use/non-use of secondary passwords and
getting back to the original topic:
>We have a captive group account that runs an internally-generated program, that
>prompts for a user/password pair, which is verified against a data file. It's
>this second 'username' prompting that is hanging the login/creation of the
>DECwindow processes.
Creating a DECterm via the session manager will run SYLOGIN.COM and LOGIN.COM
twice -- the first time as a mailbox (MB), the next as a terminal window (TW).
It sounds as if your program is getting hung up with the MB device. Try
modifying your login to test what device is being used:
$ if f$getdvi("sys$output","trm") .and. -
f$extract(1,3,f$getdvi("sys$output","devnam")) .eqs. "TWA" then -
$ run internally_generated_program
Hope this helps...
-Andy
|
| 3058.8 | Could also look for DECW$DISPLAY and put up a dialogue box. | IO::MCCARTNEY | James T. McCartney III - DTN 381-2244 ZK02-2/N24 | Fri Jul 13 1990 12:32 | 19 |
|
Another suggestion would be to test for the DECW$DISPLAY logical and if
defined, have the program present a dialogue box asking for the password.
The question then becomes would you want to be nice and allow autologin to
occur for subsequent decterm creations? Or, would you want the user to
respecify the password?
BTW. The code in .-1 will stop working with the release of DECwindow V3.
The device name for the pesudo-terminal will be changing. The new device is
named FTAx:. If you adopt such a scheme you might want to anticipate the
change so all you users don't wonder what happened one day to cause everything
to break.
Also, I just noticed the test in .-1 does not run the program for normal VTxxx
terminals. It appears to assume the choice of either mailbox or decterm. What
happens if someone hacks you by hooking up the console terminal?
James
|
| 3058.9 | It's a workaround... | PEACHS::MITCHAM | Andy in Alpharetta (near Atlanta) | Fri Jul 13 1990 13:19 | 12 |
| Well, I provided the code in .7 more as workaround, not solution. Of course,
if the program was, indeed, getting hung up with the mailbox, he could try
doing:
$ if f$getdvi("sys$output","trm") .and. -
f$extract(1,2,f$getdvi("sys$output","devnam")) .eqs. "MB" then -
$ exit
but then this would filter -all- mailboxes from the procedure. This may or
may not be desired.
-Andy
|
| 3058.10 | K.I.S.S. | BOMBE::MOORE | Eat or be eaten | Fri Jul 27 1990 21:36 | 10 |
| There's no reason to look at physical device names at all! The one
condition you care about is whether this login is connected with a
'command terminal'.
All you really need is:
$ if f$getdvi("SYS$COMMAND","trm") then do_secondary_password
[possibly combined with a test for (f$mode() .eqs. "INTERACTIVE")]
|