LISTSERV - HP3000-L Archives

HP3000-L Archives

October 1997, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 1997, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: VPLUS Field Security Protection
From:	"Marco A. Zamora" <[log in to unmask]>
Reply To:	Marco A. Zamora
Date:	Sun, 5 Oct 1997 22:21:02 -0500
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (42 lines)

> From: Tony Furnivall <[log in to unmask]>
> At 09:06 AM 10/3/97 -0400, Craig Proctor wrote:
> >> I'm trying to implement a VPLUS screen to accept a password.
> >> I can not seem to find HOW to prevent the password from echoing back to
> >> the user as it is being entered.
> and Joe geiser replied
> >In FORMSPEC, when entering the specs for the field, specify a DType of "S"
> >- which means Security.  This will suppress the echo.
>
> The approach i prefer is to use a Ctrl/N before the field, and a Ctrl/O
> after the field. This switches the terminal (or termulator) into line mode,
> and presents a totally undecipherable set of glyphs on the screen. It is
> probably not 100% secure (one method of hacking it comes to mind, which i
> haven't tried, in 15 years of using the technique), but it WILL work on all
> terminals, even those which lack support for the Security option.

"Totally undecipherable" is totally wrong. What you are doing is a simple
substitution cipher, easily crackable by hand with an HP TERM manual, or by
walking up to a terminal with a printer attached and printing out the screen
(which covers printers that don't know anything about HP's line-drawing
characters: about 90% of slave printers attached to terminals), or by copying
the screen off any Windows termulator and copying it to Notepad (or any other
application).

Careful, don't rely on line-drawing mode to scramble passwords, especially if
users tend to leave screens unattended and/or where the password field stays
on-screen after sending the block-mode input.

On the other hand, I just thought of something: to be *really* sure that the
password is unreachable, be sure that your application completely wipes out the
term's display memory after sending the password: some termulators let you
enter some sort of debugging mode, where you can inspect the contents of
display memory, leaving the password in cleartext.

What we did here for years was to enter cbreak mode and have the program read
passwords a character at a time, echoing asterisks (this was implemented as a
library function --in Pascal :]--), and was pretty easy to use: a simple
function call with the whole security shenanigan wrapped up, and the security
ACLs for the application classified in Image tables.

Cheers...                       Marco Zamora

ATOM RSS1 RSS2

RAVEN.UTC.EDU