HP3000-L Archives

February 2006, Week 2

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: passwords
From:
Larry Barnes <[log in to unmask]>
Reply To:
Larry Barnes <[log in to unmask]>
Date:
Wed, 8 Feb 2006 14:13:54 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (73 lines) 
 
Way back when I first entered the HP3000 arena, at my first operator
job, there were two people trying to convince the finance vp they were
the right person for the "Systems Mgr" position.  They would change the
manager.sys password and not tell the other what it was.  This went on
for a few weeks, I'm not sure how they would discover the password and
then change it.
One day after the password was changed the system crashed, unrelated, HP
was called and they were onsite within 1 hour; his first name was Tracy.
After swapping out the bad boards he starting to bring up the system.
When it prompted for the manager's password he turned to me and asked me
what it was.  I didn't know so I went looking for the 2 people.  
The first person tried his last change and it didn't work.
I couldn't find the other person, so I went to the vp and asked if he
had been informed of the change; he hadn't.
A call went out over the PA system calling the other person to the vp's
office.  I was sent looking through the shop floor to see if I could
find her; no luck.
I went back to Tracy and told him the situation.  He said he could dig
into the logs and find the password but he would go on the clock and
charge a trip charge and $200.00/hr.  The vp became irritated at this
option.
I decided to check the parking lot and found the other person getting
into her car preparing to leave for the day. I quickly ran out to her
car explained the situation.  She gave me the password and left.

Shortly after this situation I left this company.  I was informed that
about a month after I left the new manager was selected.  It went to an
outside person!

Log story short the password was encrypted in the system log.  Tracy
said it would take approx. 4 hours to find it.



-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
Behalf Of Greg Stigers
Sent: Wednesday, February 08, 2006 1:04 PM
To: [log in to unmask]
Subject: Re: [HP3000-L] passwords

Doesn't Security Monitor allow you to encrypt these?

Doesn't seem like it would be that hard to write a script to try to
brute force guess MPE passwords. I haven't done the math to see how much
harder SECURITY/3000 would make this, assuming session passwords. But I
imagine several of us have first or second hand experience with someone
penetrating a 3000 in half an hour or less. In my last shop, I regret
not declining to be told the system manager password, but instead asking
for the challenge of penetrating the system. Unfortunately, that's not
always a welcome bet to make.

Whereas I've been googling for a tool to try guessing user's Windows
passwords. You wouldn't think it would be that hard to choose a good
password, meaning complex / hard to guess, but easy for the owner to
remember. I've started collecting ideas for ways to come up with
memorable gibberish, since I'll probably get to train some users on this
very thing, without the benefit of a LART.

I suspect that finding out a company's password complexity requirements
cuts the time to brute force dramatically, by allowing one to not test
for simple passwords. I have no idea how to work out the math on that
one.

Greg Stigers 

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2