1993-11-12 - VMS Password security

Header Data

From: baldwin@LAT.COM (Bob Baldwin)
To: cypherpunks@toad.com
Message Hash: 0917bc46bade367ce20aba999bb7f95928847fb4bb01e017b5f32ab7ae0260c0
Message ID: <9311122148.AA01051@LAT.COM>
Reply To: N/A
UTC Datetime: 1993-11-12 22:29:42 UTC
Raw Date: Fri, 12 Nov 93 14:29:42 PST

Raw message

From: baldwin@LAT.COM (Bob Baldwin)
Date: Fri, 12 Nov 93 14:29:42 PST
To: cypherpunks@toad.com
Subject: VMS Password security
Message-ID: <9311122148.AA01051@LAT.COM>
MIME-Version: 1.0
Content-Type: text/plain


	One of the barn-door sized holes in VMS was (still is?) that
VMS used the Purdy Password hashing function.  I considered using it
for the Oracle RDBMS password function, but dropped the idea when I
realized that it is possible to invert the hash function.  I don't have
my notes, but I recall that it only took me a couple days to work it out.
The problem is that many passwords hash to the same value.  It is actually
hard to find out the true password that someone else chose, but easy to
find another password that will hash to the same value.  The hard part is
finding a printable password that maps to the desired value.
		--Bob Baldwin






Thread