|
HP OpenVMS Systemsask the wizard |
|
The Question is: This is a followup to 8985. Regarding ordering the listings, before I proffer my hard-earned cash, can you confirm that the information that I require is not in one of the censored modules? [This possibility was suggested to me subsequent to my original enquiry.] I take your point regarding "just-slightly-better-than-bad" passwords. I should have made clear the purpose of my enquiry and hence the intended audience, being two-fold. a) I as one of the system managers would like to maximise the security on my system, and being informed is part of that. If I replace the default password filter with my own, I should like that security does not go backwards unintentionally because I am n ot enforcing at least all of the rules that are currently being enforced by default. Naturally I understand that any answer that you give regarding the enforced rules is at a point in time (and likewise my site-specific password filter would not track the future addition of rules to the default password filter). This however would not be security going backwards but instead security not going as far forwards as it could. b) Our auditors have asked for a security review to be performed, documented and presented to them. It is not very satisfactory to tell an auditor that the operating system is preventing weak passwords but be almost completely unable to substantiate the c laim. Answering my own question for question 3, even though my username is not an English dictionary word, it was pointed out to me by someone else that my username *is* in the dictionary that VMS uses. I am of course honoured. (-: The Answer is : The OpenVMS source module involved in the default checking for weak passwords is [CLIUTL]SETPWD.B32 (routine VERIFY_NEW_PWD), and this module is not among those modules censored from the source listings media kits. (The vast majority of the OpenVMS system security and password-related logic is deliberately not expurgated from the listings media kits.) The current password filter checks the password dictionary, and includes explicit checks for the username and the host name as substrings within the password. Further, a site-specific password policy filtering module (if present) is also utilized -- the site-specific password policy module functions in addition to various OpenVMS-based password checks. Additional weak-password checks may or may not be present within OpenVMS, and additional weak-checks may or may not be implemented within future OpenVMS releases or within future ECO kits. (To the knowledge of the OpenVMS Wizard, details of the current implementation are not documented.)
|