|
HP OpenVMS Systemsask the wizard |
|
The Question is:
If I try to set my password to be equal to my username, the system complains,
indicating that the password is in the dictionary.
If I try to set my password to be equal to my username followed by my first
initial, the system complains, indicating that the password is weak.
Three questions:
1. Where is this behaviour documented? For a site security review I would like
to document the rules that VMS is implicitly enforcing. [BLISS or other
language source would be accepted if that is the only existing documentation.]
2. How does this behaviour interact with a site-specific password filter
(VMS$PASSWORD_POLICY)?
If I put in a filter would it replace the above implicit behaviour? Or would a
potential password have to pass both the implicit checks made by VMS and the
explicit checks in my filter? Or some more complicated interaction?
3. In the first scenario (username equal to password), I assume that this is
just someone being tricky with a status. Is this correct?
That is, my username is not an English dictionary word that I am aware of.
Returning the same message/status ("weak") in the two scenarios might have
been clearer.
TIA
Derek
The Answer is : For access to the source listings, please see the order numbers in the OpenVMS FAQ. Details in this particularly area are subject to change without notice, and detection of weak passwords is an obvious area of potential improvement -- the OpenVMS Wizard would prefer to see users learn how to pick better passwords, rather than to learn how to pick just-slightly-better-than-bad passwords. And the OpeNVMS Wizard cannot rule out enhancements within the password filtering mechanisms. If you wish to allow users to pick arbitrarily bad passwords, on the other hand, please disable the history mechanism and the dictionary, or -- simpler, similarly effective, and far more obvious -- set the user's password string to null. The site-specific password policy module will supplement the basic the OpenVMS password filter. Password- and authentication-related topics include (4612), (1461), (1475), (1645), (2938), (3233), (3883), and (5508). Also (9034). There are other topics, as well.
|