The Question is:
If I try to set my password to be equal to my username, the system complains,
indicating that the password is in the dictionary.
If I try to set my password to be equal to my username followed by my first
initial, the system complains, indicating that the password is weak.
1. Where is this behaviour documented? For a site security review I would like
to document the rules that VMS is implicitly enforcing. [BLISS or other
language source would be accepted if that is the only existing documentation.]
2. How does this behaviour interact with a site-specific password filter
If I put in a filter would it replace the above implicit behaviour? Or would a
potential password have to pass both the implicit checks made by VMS and the
explicit checks in my filter? Or some more complicated interaction?
3. In the first scenario (username equal to password), I assume that this is
just someone being tricky with a status. Is this correct?
That is, my username is not an English dictionary word that I am aware of.
Returning the same message/status ("weak") in the two scenarios might have
The Answer is :
For access to the source listings, please see the order numbers
in the OpenVMS FAQ.
Details in this particularly area are subject to change without
notice, and detection of weak passwords is an obvious area
of potential improvement -- the OpenVMS Wizard would prefer
to see users learn how to pick better passwords, rather than
to learn how to pick just-slightly-better-than-bad passwords.
And the OpeNVMS Wizard cannot rule out enhancements within
the password filtering mechanisms.
If you wish to allow users to pick arbitrarily bad passwords,
on the other hand, please disable the history mechanism and
the dictionary, or -- simpler, similarly effective, and far
more obvious -- set the user's password string to null.
The site-specific password policy module will supplement the
basic the OpenVMS password filter.
Password- and authentication-related topics include (4612),
(1461), (1475), (1645), (2938), (3233), (3883), and (5508).
Also (9034). There are other topics, as well.