[Cryptography] The proper way to hash password files

[Bill Stewart]

At 02:28 AM 5/26/2014, Dave Horsfall wrote:
>Oops - it was CTSS at MIT.

RSTS-11, circa 1973, kept the password file in unencrypted 
non-world-readable form, but didn't zero temporary files left on the disk.

And the version of BASIC* that it ran let you allocate a virtual 
array, which stored your data on disk instead of in RAM, and also 
didn't zero the space on disk.
So in Heartbleed-like fashion, you could snarf up chunks of 
formerly-used disk space by allocating a virtual array, not zeroing 
it, and printing out the contents to see if there was anything cool there.
So some curious high school students did this on the time-shared 
PDP-11 at the university that they connected to from an overused 
teletype at 110 baud, and while most of the contents were gibberish 
or mostly harmless, one was from a previous edit of the password 
file.  We weren't sure how previous, but at least most of the passwords worked.

The mainframe I used as an undergrad was running VM, with several 
batch-processing system on it, and eventually also CMS, and the batch 
accounts used 4-character passwords, which would have been inadequate 
for any serious attack, but were mostly ok since doing brute force 
with punch cards really wasn't worthwhile.  One undergrad computer 
operator (not me, but he's shown up here occasionally) guessed that 
the backup password for the VM operating system was BKUP, so he tried 
running it as an application program on top of the main VM and giving 
it one of the guest operating systems as data.  To IBM's credit, it 
worked ok, albeit very slowly, and to the university's credit, they 
didn't fire him from the operator job, though they did ask him not to 
do it again, and changed the password to something less obvious.