Media Share 9

home *** CD-ROM | disk | FTP | other *** search

/ Media Share 9 / MEDIASHARE_09.ISO / private / pw500.zip / PASSWORD.DOC < prev next >

Wrap

Text File | 1993-02-06 | 23KB | 465 lines

PASSWORD 5.0 (C)1993 Ray Dittmeier P.O. Box 4724 Louisville, KY 40204 DESCRIPTION PASSWORD is designed with two main ideas in mind. The first is that a good password protection program shouldn't look like a password protection program, and the second is that even though you can't keep a determined expert out no matter what you do, you can at least design a feature or two that will probably keep most folks out, and that will tip you off if someone has been poking around at your system. When PASSWORD starts, it gives you a normal-looking but phony C> prompt. Type in anything but the correct password, and the program gives a "Bad command or file name" message. After a specified number (chosen by you) of wrong guesses, it goes into an endless loop of giving the phony C> prompt, accepting input, running the disk drive a little (for the sake of realism), and giving the error message. The only way out of the loop is to reboot the computer. What we hope is that the intruder will think something is wrong with the computer, give up, and go down to the corner bar for a beer. However, typing in the correct password will cause the program to display a message telling you the time and date of the last attempted access, and whether or not the correct password was entered. FILES YOU SHOULD HAVE: 1. PASSWORD.EXE--The main program. 2. NEW.EXE--A utility program that allows you to change the password. 3. PASSWORD.DOC--This documentation file. The password provided with the program is "hello" (without the quotation marks). The program is case-sensitive, meaning that upper case letters and lower case letters are not interchangeable. RUNNING THE PROGRAM: PASSWORD is designed to be run from your AUTOEXEC.BAT file. Since batch files can be terminated early by hitting Control-C, PASSWORD should run as early in your AUTOEXEC.BAT as possible. This will give your intruder less opportunity to cut it off. Ideally, PASSWORD should be preceeded only by ECHO OFF (or @ECHO OFF), and by the PATH command if necessary (discussed below). After displaying the above-mentioned "last attempted access" information, PASSWORD waits for you to press any key to continue. This way, you have the opportunity to read the message and still run subsequent programs from AUTOEXEC.BAT. PASSWORD gives you various options for controlling its appearance and behavior. You can select these options by using command-line parameters when you run the program. (Command-line parameters are merely commands you type after the name of a program at the DOS prompt. For example, when you type FORMAT A:, the "A:" part is a parameter.) The parameters can be typed in any order, and must be separated by spaces. The parameters, and what they do, are: F : This parameter will cause PASSWORD to save the last attempted access information to a text file called PLOG.TXT instead of displaying it on the screen. (You can't get it to use PLOG.TXT and display the information on the screen at the same time; it's either/or.) The program will put the time and date in an ASCII text file, so you can use any text editor (or even DOS' TYPE command) to look at it later. If the correct password was entered, the program adds a + sign after the time/date for that attempt. If the correct password was not entered, the program puts a - after the time/date. The first time you use the F option, PASSWORD creates PLOG.TXT. Thereafter, it adds the time/date/result of each attempt to the file. PLOG.TXT will appear in the same subdirectory with the PASSWORD program. If you want to move PLOG.TXT to a different subdirectory, PASSWORD will be able to find it, and add to it where it is, as long as it's in a subdirectory included in your PATH command. Using F will also bypass the "press any key" feature after the password is entered. Therefore, anyone watching over your shoulder may not catch on that a password program is running. Or if they do, it won't be apparent that the program keeps track of when the computer is turned on. (any number) : Tells PASSWORD to give the user the given number of chances to enter the correct password before going into the endless loop. For example, if you run the program with PASSWORD 5 the program will go into the endless loop after the fifth time something wrong is typed in. Of course, if the right password is entered before the fifth input, the last access information is displayed immediately, and the program proceeds onward from there. If no parameter is given, PASSWORD gives you, by default, three chances. If 0 (number zero) is entered, the program will continue to accept input until the correct password is typed in, no matter how many times the user tries. A : This parameter tells PASSWORD to sound an alarm each time an incorrect password is entered. O : This parameter will cause PASSWORD to simulate loading a different operating system when it starts. You will see a message that "The Delta Operating System is being loaded," with some disk drive activity, and you will see a different prompt. But the PASSWORD program will still operate exactly as it does otherwise. W : This parameter will cause PASSWORD to execute a warm boot after the last-allowed incorrect password is entered. For example, if you're using the program with the default of allowing three incorrect passwords, W will warm boot the computer after the third incorrect entry. Of course, if you use 0, giving users an unlimited number of guesses, there will be no warm boot. P : Allows the user to designate his or her own prompt. By default, the program uses C> as the phony prompt. But you can set your own by entering it on the command line, with P as the first character to tell PASSWORD that what follows is a new prompt. As is the case with the regular DOS prompt command, the $ character can be used to put certain items in the prompt: $D = Current Date (read from system clock) $T = Current Time (read from system clock) $G = > (the "greater than" character) $L = < (the "less than" character) $_ = Space Note that $_ is not one of the choices in the regular DOS PROMPT command. In DOS, a blank space can be placed in the prompt by merely putting a space in the appropriate place in the PROMPT command. However, PASSWORD will interpret a blank space as a space between parameters; therefore, anything after the space will be seen as a different parameter and left out of the prompt. So $_ is necessary to give you the possibility of including a space. A period cannot be used in the prompt. If a period occurs anywhere in your P parameter, PASSWORD will think the entire parameter is supposed to be a file name rather than a prompt. (The reason for entering a file name is explained below.) Although DOS recognizes other "$ commands" for its prompts, the ones listed above are the only ones PASSWORD uses. Anything else you want, such as a directory name, must be typed in exactly as you want it. For example, if you want your PASSWORD prompt to give the current time and show the C:\ directory with the usual > character at the end, enter PASSWORD P$TC:\> Using the letter P by itself will give you no prompt at all; the cursor will appear at the left-hand edge of the screen. The following six parameters affect the screen display only. The PASSWORD program will still recognize the real letters you type from the keyboard. These options are designed to confuse intruders, hide the password if someone's looking over your shoulders, or both. R : Displays a randomly chosen ASCII character instead of the actual letter typed from the keyboard. Remember that some ASCII codes, when sent to the screen, will do things like give you carriage returns, backspaces, beeps, etc., which may be distracting. So with R, it might take a bit of extra concentration to get the password correct. L : Displays a randomly chosen letter, rather than actual letter typed at the keyboard. (Not any ASCII character, as with "R"; this option limits the choice to letters of the alphabet.) If you type an upper-case letter, an upper case letter will be displayed. If you type a lower case letter, a lower case letter will be displayed. This option can be useful if other people are likely to be in the room when you turn on your computer. Anyone who watches the screen will, we hope, think the randomly-chosen letters are actually the password. In addition to selecting this option by typing "L" on the command line, you can also turn it on after the program's already running. Merely press the Tab key, and all further input will give randomly chosen letters on your screen. The reason for this "Tab" feature is that using "L" in your AUTOEXEC.BAT will give it to you every time. But if you have extra people lurking in the room only occasionally, you might want to use it only on those occasions. D : Displays a dot (period) instead of the letter typed. N : Displays nothing in response to keyboard entry (until the Enter key is pressed). B : Clears the screen and displays nothing at all--not even a cursor. V : This parameter will cause PASSWORD to start with a phony virus warning. The message (falsely) identifies the program as "Virus Cop" (as far as I know, there's really no program by that name) and states that a virus has been detected. The message instructs the user to "run the INSPECT program from the original floppy disk in your VIRUS COP package before proceeding further. Insert disk in drive A and press return to continue." Any time an incorrect password is entered, the program runs the A drive a bit, beeps, and repeats the message--as if it's looking for the INSPECT program and not finding it. However, all you have to do is enter the correct password. Some of the parameters described above can be used in various combinations; others can't. For example, you can use V and O together. It'll simulate loading the other operating system, then give the phony virus warning. However, B and R won't work at the same time; B gives you nothing on your display, and R gives you random characters. They are, obviously, not compatible. However, if you choose options that don't work together, it's not a problem. PASSWORD will merely use the one that appears first on the command line and ignore the other. If you don't get what you expect on the screen, it's likely you've chosen a combination of options that won't work together. Any file name (as a parameter): First, a brief (I hope) explanation. The program maintains a text file called PLS.COM (by default), which contains: 1. The current password, 2. The date and time of the last attempted access, and 3. Whether the correct password was given. The .COM extension in the file name is just in case an intruder gets in and pulls up a directory listing. He's not likely to try to look at the file with the "TYPE" command, since he'll think it's a program. But even if he does for some weird reason, he'll just see high-ASCII graphics characters because the file's encrypted--hopefully giving the appearance of an authentic .COM file. Obviously, PLS.COM will be read from, and written to, every time you start your computer. But it was brought to my attention by a user of an earlier version of PASSWORD that his virus-detection program sounds an alarm every time an .EXE or .COM file is modified. Not really a big deal. In fact, I like the idea (thus the A option described above). But modifying a .COM file could be a real problem with other virus-detection schemes, or for people who don't want an alarm. So I've provided the possibility to have PASSWORD use a name other than PLS.COM for its text file. Simply enter the new name you want to use for the text file as a command-line parameter, and PASSWORD will use that name instead. This file doesn't have to be in the same subdirectory with PASSWORD; if you don't want it there, specify the full subdirectory name or make sure it's in a subdirectory included in your PATH command. If you use this feature, keep the following in mind: 1. The new file name must have an extension (the one-to-three- letter part of the file name that follows the period, such as the .COM in PLS.COM). It doesn't matter what the extension is, but PASSWORD looks for the period to determine whether a parameter is a file name. If there's no period, the program won't recognize it as a file name. If you don't want to use an extension, put a period at the end of the file name on your command line: PLS. rather than PLS 2. Make absolutely sure that the new name you use isn't the name of a file that already exists. Otherwise, PASSWORD won't work correctly, and you'll destroy the already- existing file that has that name. 3. Test-run PASSWORD after you set it up to use the new file name. If you've make a mistake in typing in the new file name, PASSWORD will display the error message "Illegal file name for PASSWORD data file." In this case, the problem is probably one of two things. Either you've used an illegal file name (consult your DOS manual for guidelines on legal file names), or you've specified a subdirectory that doesn't exist on your system. EXAMPLES PASSWORD A R 4 will run PASSWORD with the alarm option, have it display random ASCII characters, and give the user four chances to enter the correct password. PASSWORD O 0 C:\DOS\SAMPLE.TXT will run password with the simulation of another operating system, give the user an unlimited number of chances to enter the correct password, and use a file called SAMPLE.TXT (located in the subdirectory C:\DOS) instead of PLS.COM. PASSWORD N B will run password with the N parameter option only--it can't run both N and B, and N appears first on the command line. PASSWORD O B This is one I particularly like. It gives the simulation of the other operating system, leaving the "Delta" message at the top of the screen, but gives no prompt or cursor. It gives the appearance that loading Delta locked up the machine. PASSWORD P$D$T$G 2 L F will run PASSWORD with a prompt that gives the current date and time, ending with the > character. It gives you two chances to enter the correct password, and displays random letters in response to what you type. The "attempted access" information is added to PLOG.TXT, and is not displayed after the password is entered. OTHER IDEAS I named PASSWORD and NEW as I did to make them easy for you to identify. However, this will, at least in the case of PASSWORD, make identification easy for the intruder also, should he happen to get in. You may want to rename them to something less obvious. If you do, though, keep in mind that they must have the .EXE extension in order to run. Also, you can place each file in a different directory. If you do this, be sure of two things: (1) PLS.COM (or the renamed version) must be in the same subdirectory with PASSWORD, or in a subdirectory listed in your PATH command, or its directory must be specified on your PASSWORD command line. (2) The PATH command, if you need it, must come before the call to PASSWORD in AUTOEXEC.BAT. CHANGING THE PASSWORD To change the password, I've provided NEW.EXE. If you're using a different name than PLS.COM for your data file, enter that name after you type NEW at the DOS prompt. Typing NEW C:\DOS\SAMPLE.TXT will run NEW and instruct it not to look for PLS.COM, but for C:\DOS\SAMPLE.TXT instead. If you specify a file name, and there is no file with the name you specify, NEW will create it. If you don't specify a file name, NEW will use PLS.COM. If you don't specify a subdirectory, NEW will first look in the current directory to see if the information file exists. If it's not there, it will look at all the subdirectories listed in your PATH command, if you have one. If it still doesn't find the file, the program will create a new one with the name you specified on the command line--or, if you didn't specify a name, it will use PLS.COM. When NEW starts, it gives you a ? as a prompt. Enter the current password. The program then prompts you to type in your new password. The new password can be up to 79 characters long and can include any character that can be typed on the keyboard, including spaces. NEW then replaces the old password in PLS.COM (or its replacement) with an encrypted version of the new one. The last access information contained in the file is preserved. Or, if appropriate, NEW creates a new file containing the password you give it. If, when starting NEW, you enter an illegal file name, or specify a subdirectory that doesn't exist, NEW will merely stop and give you back your real DOS prompt. If, at NEW's ? prompt, you enter the wrong password, the program harmlessly goes back to DOS. You get just one chance to get it right, but if you make a mistake, you can run NEW again. A FEW OTHER NOTES: PASSWORD can be run at times other than when you boot up your computer. For example, suppose you're running an application that has a DOS Shell feature. When you're ready to go out to lunch, simply shell to DOS and run PASSWORD. This will keep other folks in the office from snooping around on your machine. If you do this, it might be a good idea to use the 0 option (unlimited number of wrong entries). That way, if someone gets curious, you'll still be able to get back in, no matter how much typing your curious friend does. In any case, be certain to save your work first. If you're using an option that doesn't display your input (N, B, or V), and you lose track of what you're typing, remember that Escape will wipe out anything you've typed for the current entry. So you can hit Escape and start over without PASSWORD counting a wrong guess. (I just mention this because it might be useful some time, but some folks might not think of it if they can't see any input.) If PLS.COM isn't present (such as the first time you run the program, or if something happens to erase it), PASSWORD will create a new one. The only way you will know this has happened will be if you are sure you have entered the correct password but are still denied access. In this case, the password will be "hello." When PASSWORD creates a new PLS.COM, it will be in the same subdirectory as the program itself, unless you've specified a different subdirectory with the "rename PLS.COM" option described above. If you've specified a different file name on your PASSWORD command line, the new PLS.COM-type file will have the name you gave it. If you forget your password, simply follow these steps: (1) Start your computer with a bootable floppy disk in drive A, so that PASSWORD will not run. (2) Delete PLS.COM. (Or whatever name you're using for the file) (3) Run NEW. The password will be "hello". It will create a new PLS.COM containing the password you enter at the ? prompt. PASSWORD is set up to simulate DOS with as much realism as is reasonably possible. For this reason, the F1 key will give you a single character from your previous entry (if there is a previous entry), and the F3 key will reproduce your entire previous entry. The Escape key will erase anything you've typed in your current entry. However, if the L option is in effect, F1 will give you any random character that can be typed from the keyboard. F3 will display a different, but same-sized, set of random characters. If you're using the R option, those two keys will do the same thing, but will give you any ASCII character at random. After entering the correct password, keep in mind that if the message indicates the password was not given, this still doesn't mean the intruder didn't get in. He may have figured out that he was dealing with some kind of security system and rebooted with a floppy disk in drive A. Of course, PASSWORD has no way of knowing if this happens, but if the intruder starts out by trying to boot off the hard drive (and that's the most likely thing he'd do), you'll at least know someone was there. A hedge against this would be to include PASSWORD in the AUTOEXEC.BAT of each of your bootable floppy disks (The password program doesn't have to be on the disk; just specify C: and the path in the line that calls it). This way, the intruder will have to bring his own disk in order to avoid PASSWORD. I was careful to design PASSWORD so that it would run smoothly if used correctly, and I'm sure I succeeded. Further, the possibility of disaster is, to the best of my knowledge, nonexistent, because you can always bypass PASSWORD by booting off drive A. However, since this is a harsh and unpredictable world, and since I've seen people do many weird and impossible things on computers, I feel it's prudent to disclaim responsibility for any disasters that may result from the use of this software. I'm happy to help with whatever problems I can, but don't send me a bill for a new computer. Finally, I'm distributing this program as shareware. Feel free to copy it and pass it around; just be sure to keep all the files together. If you're a distributor, put it in your catalog and send me a copy. If you like and use PASSWORD, please register it for $12.00, and I'll send you a disk with more programs. These programs will be my most popular and/or most recent ones. Usage of anything on the disk is covered by the one registration fee you'll already have paid. So you may use any or all of the programs with no further obligation. Also, I'd like to receive any comments, criticisms, or suggestions you may have, and I'll be glad to answer questions. Send all correspondence to: Ray Dittmeier P.O. Box 4724 Louisville, Ky. 40204 E-mail can be sent on GEnie to R.DITTMEIER, or on CompuServe to 71650,1214.