|
HP OpenVMS Systemsask the wizard |
|
The Question is: Part of our SOX audit requires that we test for accounts with blank passwords. In UNIX, I am doing something like "awk -F: '!$2' /etc/passwd" - how can I do the same in VMS? I have gawk for VMS, if that helps, and gawk's FIELDWIDTHS feature might be useful in processing SYSUAF. The Answer is : Unless there are privileged users overriding security policy, there cannot be passwords shorter than the required password length; shorter than the established password minimum length value. There is no means available to reverse the password hashing algorithm, the test would involve using the blank password, the username, and the salt, producing a new hashed password value, and comparing it to the binary value of the current hashed password. No cleartext password is available within the authorization database. If you have privileged users overriding security-relevent attributes such as the established system password length policy, you have far larger security issues than searching for potentially blank passwords. You will want to review and to remove the privileges of such users, of course. You can force a password change using the expired-password setting. When next the user logs in, a password change will be required. For details on OpenVMS system security and recommendations, please see the OpenVMS System Security Manual. For what should be obvious reasons, the OpenVMS Wizard is not in a position to recommend password-cracking tools, but such tools are undoubtedly available. Related topics include (1461), (1645), (4303), (4612), (4778), (6328), (7818), (8985), (9728), and various others.
|