HP OpenVMS Systems

ask the wizard
Content starts here

OpenVMS and Blank/Null Passwords?

» close window

The Question is:

Part of our SOX audit requires that we test for accounts with blank passwords.
In UNIX, I am doing something like "awk -F: '!$2' /etc/passwd" - how can I do
 the same in VMS?
I have gawk for VMS, if that helps, and gawk's FIELDWIDTHS feature might be
 useful in processing SYSUAF.

The Answer is :

  Unless there are privileged users overriding security policy, there
  cannot be passwords shorter than the required password length; shorter
  than the established password minimum length value.
  There is no means available to reverse the password hashing algorithm,
  the test would involve using the blank password, the username, and the
  salt, producing a new hashed password value, and comparing it to the
  binary value of the current hashed password.  No cleartext password
  is available within the authorization database.
  If you have privileged users overriding security-relevent attributes
  such as the established system password length policy, you have far
  larger security issues than searching for potentially blank passwords.
  You will want to review and to remove the privileges of such users,
  of course.
  You can force a password change using the expired-password setting.
  When next the user logs in, a password change will be required.
  For details on OpenVMS system security and recommendations, please
  see the OpenVMS System Security Manual.
  For what should be obvious reasons, the OpenVMS Wizard is not in a
  position to recommend password-cracking tools, but such tools are
  undoubtedly available.
  Related topics include (1461), (1645), (4303), (4612), (4778), (6328),
  (7818), (8985), (9728), and various others.

answer written or last revised on ( 21-JUL-2004 )

» close window