> -----Original Message-----
> From: Gavin Scott
> [...] Security/3000 also stores passwords
> one-way encrypted (IIRC).  Whether either of them uses
> *strong* one-way
> encryption I don't know, but I certainly wouldn't be handing out the
> encrypted values to anyone who wanted them.

Many years ago, the encrypted value was only two bytes (16 bits).  At the
time, I calculated out how much "storage" would be needed to create a
"dictionary" of all possible encrypted values, and it spanned many discs "at
the time" -- of course, we're talking about 7933-class drives with max
capacities in the "mere megabytes" range ;)  When it became appearent that
disc capacities and processing power were increasing to the point where it
would be trivial to either use "brute force" to crack passwords or create a
reverse-lookup dictionary, the encrypted value was changed to a 4-byte (32
bit) value.  I think we are on a similar threshold now [and I've let Vesoft
know it], but I think they are focusing their attention on keeping the
encrypted values "secure" [priv files, etc.]

In other words, if you have enough resources to GET the file of encrypted
passwords in the first place, you would have already compromised the
security enough that the passwords would be of little additional value...

Of course, letting a former LDEV1 or the disc containing the encrypted
values "out in the wild" without performing some form of destructive
overwrite would be a severe compromise of security in the first place.
Since these drives are SCSI drives, it should be possible to place them on
ANY other SCSI based system and perform low- or high-level formats in order
to "scratch" them.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *