home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!elroy.jpl.nasa.gov!ames!agate!ucbvax!UH01.Colorado.EDU!DWING
- From: DWING@UH01.Colorado.EDU (Dan Wing)
- Newsgroups: comp.os.vms
- Subject: Re: PASSWORDS & SCHEMES
- Message-ID: <01GT8W0T1GO2006MJF@VAXF.COLORADO.EDU>
- Date: 8 Jan 93 01:29:08 GMT
- Sender: daemon@ucbvax.BERKELEY.EDU
- Distribution: world
- Organization: The Internet
- Lines: 49
-
- Jon Baker, SYSTEM_JB@UNODE1.NSWC.NAVY.MIL, writes:
-
- >We have a problem with users here in that they tend to write passwords down.
- >"That's bad." Many users have several accounts on different systems and
- >therefore must remember several passwords. For security purposes, we generate
- >the passwords and they look like some foreign encryption code. We were
- >wondering if anyone has or knows of a program or product we could use to check
- >passwords for a conformity standard (make sure they HAD special characters in
- >it, etc.) so that we could allow users to make up their own passwords. We
- >don't do it now since they could just put in their username or a proper name
- >even with the password checker provided in VMS 5.4. That wouldn't be "prudent"
- >in a security conscious environment. I guess we could use some extra password
- >dictionaries as well. O-)
-
- The V5.4 password checking algorithm does not allow your username to be
- your password, or your username + username:
-
- $ SET PASS
- Old password:
- New password: DWINGDWING
- %SYSTEM-F-PWDWEAK, password is too easy to guess; please choose another
- string
-
- Mayhaps someone with source listings could detail all the various permutations
- that are (currently) dis-allowed.
-
- You can implement your own site-specific password policy. See
- SYS$EXAMPLES:VMS$PASSWORD_POLICY.ADA, .B32. This requires changing a SYSGEN
- parameter (LOAD_PWD_POLICY) so you'll have to reboot a few times to get
- it working to your satisfaction. I'm sure someone on the net has one
- written in Macro or C, and would volunteer that program for public
- consumption?
-
- Using the site-specific policy, you can require that special characters such
- as @, #, $, %, &, etc., be present in the password string. It also captures
- the plaintext password -- I hope it goes without saying, but DON'T STORE
- THIS ANYWHERE!
-
- Also add site-specific words to your password dictionary (I don't know if a
- site-specific password policy causes the dictionary and password history to
- be disabled or supplimented with the site-specific password policy). The
- VMS V5.5 release notes describe how to best add your own words to the
- password dictionary (section 2.27.3). Some words used by some worm programs
- aren't in this dictionary (if you add all the words that you learned in
- Junior High you'll cover most of them).
-
- -Dan Wing, dwing@uh01.colorado.edu or wing_d@ucolmcc.bitnet (DGW11)
- Systems Administrator, University Hospital, Denver
-
-