home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!PSULIAS.PSU.EDU!JLW
- From: JLW@PSULIAS.PSU.EDU ("J.Lance Wilkinson, 865-1818", 814)
- Newsgroups: comp.os.vms
- Subject: Re: PASSWORDS & SCHEMES
- Message-ID: <01GT9TRQCTGKC2ICDK@psulias.bitnet>
- Date: 8 Jan 93 15:21:00 GMT
- Sender: daemon@ucbvax.BERKELEY.EDU
- Distribution: world
- Organization: The Internet
- Lines: 64
-
- Dan Wing <DWING@UH01.COLORADO.EDU> answered on 8-JAN-1993 01:03:
- >Jon Baker, SYSTEM_JB@UNODE1.NSWC.NAVY.MIL, writes:
- >
- ... some of Jon's query omitted ...
-
- >>the passwords and they look like some foreign encryption code. We were
- >>wondering if anyone has or knows of a program or product we could use to check
- >>passwords for a conformity standard (make sure they HAD special characters in
- >>it, etc.) so that we could allow users to make up their own passwords. We
- >>dictionaries as well. O-)
- >
- ... some of Dan's commentary omitted ...
-
- >You can implement your own site-specific password policy. See
- >SYS$EXAMPLES:VMS$PASSWORD_POLICY.ADA, .B32. This requires changing a SYSGEN
- >parameter (LOAD_PWD_POLICY) so you'll have to reboot a few times to get
- >it working to your satisfaction. I'm sure someone on the net has one
- >written in Macro or C, and would volunteer that program for public
- >consumption?
- >
- >Using the site-specific policy, you can require that special characters such
- >as @, #, $, %, &, etc., be present in the password string. It also captures
- >the plaintext password -- I hope it goes without saying, but DON'T STORE
- >THIS ANYWHERE!
- >
- >Also add site-specific words to your password dictionary (I don't know if a
- >site-specific password policy causes the dictionary and password history to
- >be disabled or supplimented with the site-specific password policy). The
- >VMS V5.5 release notes describe how to best add your own words to the
- >password dictionary (section 2.27.3). Some words used by some worm programs
- >aren't in this dictionary (if you add all the words that you learned in
- >Junior High you'll cover most of them).
-
- I agree it isn't clear, as Dan mentioned, whether adding your own
- site-specific password policy code bypasses the DEC-supplied services.
- I certainly hope that all the DEC-supplied filters (no use of username
- or owner name combinations in password, minimum/maximum lengths
- observed, no reuse during the history cycle, not currently in the
- dictionary, etc.) are all applied *before* the site-specific filter
- is applied, meaning that if it gets to your code, your code need only
- check for your additional requirements.
-
- Since, as Dan mentioned, we have a way to add new items to the
- DEC-supplied dictionary, I've wanted to do was to adapt a working
- dictionary-based password policy program (like Ted Neiland's, for
- example), to, instead of validating the plaintext password against
- a dictionary, record the plaintext passwords which got this far (thus
- they are *accepted* by VMS's other filters) in a file. Weekly, we'd
- analyze the file of recorded plaintext passwords (saved *without* the
- username, of course) to see if there were any words cropping up more
- often. These words would then need to be added to the dictionary
- because they're getting too popular as passwords.
-
- +-"Never Underestimate the bandwidth of a station wagon full of mag tapes"--+
- | J.Lance Wilkinson ("Lance") BitNet: JLW@PSULIAS.BITNET |
- | Systems Design Specialist - Lead InterNet: JLW@PSULIAS.PSU.EDU |
- | Library Computing Services AT&T:(814) 865-1818 FAX:(814)863-3560 |
- | E8 Pattee Library "I'd rather be dancing..." |
- | Penn State University A host is a host from coast to coast, |
- | University Park, PA 16802 And no one will talk to a host that's close |
- | <POSTMAST@PSULIAS.BITNET> Unless the host that isn't close |
- | <POSTMAST@PSUCES.BITNET> Is busy, hung or dead. |
- +------"He's dead, Jim. I'll get his tricorder. You take his wallet."-------+
-
-
