Finding Passwords

Michael Meissner meissner at osf.org
Sat Oct 6 05:29:04 AEST 1990 

In article <651 at puck.mrcu> paj at mrcu (Paul Johnson) writes:

| No it does not.  What M. Faraut originally wrote was:
| 
| >         - CPU prompts "login:"
| >         - type your login name
| >         - CPU uncrypts your secret keyword and display it on screen .
| > (Each user keeps up his own secret keyword encrypted in a personal file ;
| > only the owner and root can read/modify this file )
| >         - CPU prompts "passwd:"
| >         - Now you can either type your usual passwd if the secret
| > keyword was right, or do anything else possibly aborting the session .
| 
| 
| You do not type your password until the computer has given you your
| secret keyword.  The only problem with this is that someone might be
| looking over your shoulder.  There are ways around this, but they
| start getting too complicated for humans to use: for example the user
| could challenge the computer with one of a range of keywords to which
| the computer would have to respond with a corresponding word (eg
| donald-duck, micky-mouse, brian-kernighan)
| 
| Computer: Login:
| User: paj
| C: Your challenge:
| U: [no echo] micky
| C: My response is "mouse".  Your password:
| U: [no echo] secret
| C: paj logged in at....
| 
| This will prevent problems with someone looking over your shoulder on
| one occasion, but if they can watch you repeatedly then it starts
| becoming easier.  A plain trojan could not make the correct response:
| all it could collect would be the user's challenge.  It would not be
| able to make the response (unless the villain had managed to deduce
| the list by prolonged observation) and hence would fail.

It reminds of one of the internal systems at Data General back in far
more trusting days of yore...

At that time, many of the internal systems had a guest account (X.PUB)
that had limited rights -- initially normal access rights, later it
was only allowed on non-sensitive directory trees.  One system decided
to change it's X.PUB's initial shell to ask certain DG trivia
questions.  If you got three right in a row before missing any three
answers you were allowed to log on.  The triva was things like where
is building 14B and the answer was 'webo' (building 14B was at the
time where most of the Mass. developers worked, 14A was headquarters).
In any case, the questions were selected randomly.

Getting back to the above topic, something like this can be used to
autheticate a user, providing you have a large enough base of
questions (maybe a one time pad...).

Where such things break down is other servers like FTP which grant
rights to people but don't go through the extra shell.  This technique
was used for example to break into a system using a privledged account
which did not have logon privledges, but was used by the mail system
for upding the system databases.  After I and others pointed this out,
the mail servers were eventually changed to use more secure means of
updating records.

--
Michael Meissner	email: meissner at osf.org		phone: 617-621-8861
Open Software Foundation, 11 Cambridge Center, Cambridge, MA, 02142

Do apple growers tell their kids money doesn't grow on bushes?

More information about the Comp.unix.internals mailing list