Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!hao!boulder!sunybcs!bingvaxu!leah!uwmcsd1!ig!jade!ucbvax!INDYVAX.BITNET!IMHW400
From: IMHW400@INDYVAX.BITNET
Newsgroups: comp.os.vms
Subject: Re:  Security problem in DQS
Message-ID: <8712082115.AA26827@ucbvax.Berkeley.EDU>
Date: Tue, 8-Dec-87 08:20:00 EST
Article-I.D.: ucbvax.8712082115.AA26827
Posted: Tue Dec  8 08:20:00 1987
Date-Received: Sun, 13-Dec-87 14:36:17 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 10

It should do no harm to simply delete the offending file after it has been
executed once, instead of doing it at SYSTARTUP time.  Since it does a DEFINE,
the password will be in the permanent DECnet database and need never be set
again, unless one wishes to change it.  I can't help feeling that the person
who wrote the DQS startup procedure has no previous experience with DECnet
management.  (*sigh*)

This *does* mean that the password is *still* stored in a file, but we can
hope that DECnet uses the system password encryption routine to hash it
(as LOGINOUT, AUTHORIZE, and SET PASSWORD do).  Are you listening, DEC?