Security Problem?
EE.GDS%MIT-OZ%mit-mc at sri-unix.UUCP
EE.GDS%MIT-OZ%mit-mc at sri-unix.UUCP
Thu Jun 30 07:45:00 AEST 1983
From: Greg Skinner <EE.GDS%MIT-OZ at mit-mc>
There is another way to hack user logins -- just wander around the
Arpanet looking for a user named "smith" or "jones" who has an account
with no password. I know instances of this happening with Unix
machines -- in fact, when the TCP/IP switchover took place the users
on our internet vaxes were required to give themselves passwords, or a
password was chosen for them different from their name. Actually, if
the host has a finger server, you could try all logged-in users
looking for a non-password account.
Also, some users stupidly have login and password names the same.
This happens often when accounts are newly created and the user is not
present at the creation time. The operator makes the username and
password names the same.
As far as I know, non-password accounts are allowed on Unix, and not
on TOPS-20.
--greg
-------
More information about the Comp.unix.wizards
mailing list