HP OpenVMS Systems

ask the wizard
Content starts here

Password policy, security? (take II)

» close window

The Question is:

This is a followup to 8985.
Regarding ordering the listings, before I proffer my hard-earned cash, can you
 confirm that the information that I require is not in one of the censored
 modules? [This possibility was suggested to me subsequent to my original
I take your point regarding "just-slightly-better-than-bad" passwords. I should
 have made clear the purpose of my enquiry and hence the intended audience,
 being two-fold.
a) I as one of the system managers would like to maximise the security on my
 system, and being informed is part of that. If I replace the default password
 filter with my own, I should like that security does not go backwards
 unintentionally because I am n
ot enforcing at least all of the rules that are currently being enforced by
Naturally I understand that any answer that you give regarding the enforced
 rules is at a point in time (and likewise my site-specific password filter
 would not track the future addition of rules to the default password filter).
 This however would not be
security going backwards but instead security not going as far forwards as it
b) Our auditors have asked for a security review to be performed, documented
 and presented to them. It is not very satisfactory to tell an auditor that the
 operating system is preventing weak passwords but be almost completely unable
 to substantiate the c
Answering my own question for question 3, even though my username is not an
 English dictionary word, it was pointed out to me by someone else that my
 username *is* in the dictionary that VMS uses. I am of course honoured. (-:

The Answer is :

  The OpenVMS source module involved in the default checking for weak
  passwords is [CLIUTL]SETPWD.B32 (routine VERIFY_NEW_PWD), and this
  module is not among those modules censored from the source listings
  media kits.  (The vast majority of the OpenVMS system security and
  password-related logic is deliberately not expurgated from the
  listings media kits.)
  The current password filter checks the password dictionary, and includes
  explicit checks for the username and the host name as substrings within
  the password.  Further, a site-specific password policy filtering module
  (if present) is also utilized -- the site-specific password policy module
  functions in addition to various OpenVMS-based password checks.
  Additional weak-password checks may or may not be present within OpenVMS,
  and additional weak-checks may or may not be implemented within future
  OpenVMS releases or within future ECO kits.  (To the knowledge of the
  OpenVMS Wizard, details of the current implementation are not documented.)

answer written or last revised on ( 24-NOV-2003 )

» close window