- old school security

[Jerome H. Fine]

 >Richard wrote:

>Lots of systems made that error.  For instance, RSTS/E stored the
>passwords in cleartext and you could list them out if you were a
>privileged (1,*) user.  I discovered that when you submitted a batch
>job through the @ processor, it ran as user batch on account (1,2).
>So it wasn't too hard to submit a batch job that ran the ACCOUN
>program to list out the passwords.
>
Jerome Fine replies:

Perhaps Zane is following this thread or anyone else
who knows VMS well.  I seem to remember that the
userid / password were placed through the same algorithm
as the stored values.  The results were compared and
that was what produced a match.  In addition, I also
understand that it was impossible to reverse the results
of the "encryption" algorithm.  And with later versions
of VMS, the choice of the password was restricted, possibly
to a string produced at random by VMS itself;  this latter
feature prevented users from having the name of a special
individual as the password.

Does anyone know of any other operating system which requires
secure passwords along with storing only the encrypted
equivalents of the userid / password?

Sincerely yours,

Jerome Fine
--
If you attempted to send a reply and the original e-mail
address has been discontinued due a high volume of junk
e-mail, then the semi-permanent e-mail address can be
obtained by replacing the four characters preceding the
'at' with the four digits of the current year.