Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!hao!boulder!sunybcs!bingvaxu!leah!uwmcsd1!ig!jade!ucbvax!INDYVAX.BITNET!IMHW400 From: IMHW400@INDYVAX.BITNET Newsgroups: comp.os.vms Subject: Re: Security problem in DQS Message-ID: <8712082115.AA26827@ucbvax.Berkeley.EDU> Date: Tue, 8-Dec-87 08:20:00 EST Article-I.D.: ucbvax.8712082115.AA26827 Posted: Tue Dec 8 08:20:00 1987 Date-Received: Sun, 13-Dec-87 14:36:17 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 10 It should do no harm to simply delete the offending file after it has been executed once, instead of doing it at SYSTARTUP time. Since it does a DEFINE, the password will be in the permanent DECnet database and need never be set again, unless one wishes to change it. I can't help feeling that the person who wrote the DQS startup procedure has no previous experience with DECnet management. (*sigh*) This *does* mean that the password is *still* stored in a file, but we can hope that DECnet uses the system password encryption routine to hash it (as LOGINOUT, AUTHORIZE, and SET PASSWORD do). Are you listening, DEC?