Special chars humor (was password security)

Daryl Clevenger dlc at dlc.fac.cs.cmu.edu
Sat Dec 24 18:38:22 AEST 1988


In article <8594 at alice.UUCP> debra at alice.UUCP () writes:
>Requiring the use of a non-alphanumeric character is not at all sufficient.
>Many people react to this by just putting a special character (usually ".")
>in front of their old password...
>

(This post is just a humorous interjection, not a comment one way or the
 other.  It does illustrate yet another example of a program that missed
 a boundry case.)

A friend of mine that used to work for a research project here at CMU had an
interesting thing happen to him related to this.  His group had a few HP
Bobcats running HP/UX and he was given an account on them.  Upon logging
in the first time, he was asked to change his password and required him
to use at least one non-alphanumeric character (I don't know if it cared
where it was put into the password string).  Being relatively naive about
UNIX and not knowing its history, he picked '@' as his special character,
which /bin/passwd gladly accepted.

Guess what happened the next time he tried to login?  The system kept printing
"Login incorrect" and he was certain he was using the right passwd.  Finally,
he called me up and related what had heppened to me.  I asked him which
special character he used, and I thought about it for a moment.  Then I
remembered that the default 'Kill line' character used to be '@'.  I told him
to type his passwd at the "login:" prompt (why not, nobody could use it for
much as it was) and tell me what happened.  My suspicions were confirmed
when I heard the screams and cursing.

Moral:  All characters are special; some are more special than others.

------------
Daryl Clevenger				dlc at cs.cmu.edu
CMU CS/RI Facilities Staff
-- 



More information about the Comp.unix.wizards mailing list