Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!EE.GDS%MIT-OZ@mit-mc
From: EE.GDS%MIT-OZ%mit-mc@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Re:  Security Problem?
Message-ID: <2652@sri-arpa.UUCP>
Date: Wed, 29-Jun-83 17:45:00 EDT
Article-I.D.: sri-arpa.2652
Posted: Wed Jun 29 17:45:00 1983
Date-Received: Fri, 1-Jul-83 06:01:57 EDT
Lines: 21

From:  Greg Skinner 

There is another way to hack user logins -- just wander around the
Arpanet looking for a user named "smith" or "jones" who has an account
with no password.  I know instances of this happening with Unix
machines -- in fact, when the TCP/IP switchover took place the users
on our internet vaxes were required to give themselves passwords, or a
password was chosen for them different from their name.  Actually, if
the host has a finger server, you could try all logged-in users
looking for a non-password account.

Also, some users stupidly have login and password names the same.
This happens often when accounts are newly created and the user is not
present at the creation time.  The operator makes the username and
password names the same.

As far as I know, non-password accounts are allowed on Unix, and not
on TOPS-20.

--greg
-------