 |
The Question is:
This is a followup to 8985.
Regarding ordering the listings, before I proffer my hard-earned cash, can you
confirm that the information that I require is not in one of the censored
modules? [This possibility was suggested to me subsequent to my original
enquiry.]
I take your point regarding "just-slightly-better-than-bad" passwords. I should
have made clear the purpose of my enquiry and hence the intended audience,
being two-fold.
a) I as one of the system managers would like to maximise the security on my
system, and being informed is part of that. If I replace the default password
filter with my own, I should like that security does not go backwards
unintentionally because I am n
ot enforcing at least all of the rules that are currently being enforced by
default.
Naturally I understand that any answer that you give regarding the enforced
rules is at a point in time (and likewise my site-specific password filter
would not track the future addition of rules to the default password filter).
This however would not be
security going backwards but instead security not going as far forwards as it
could.
b) Our auditors have asked for a security review to be performed, documented
and presented to them. It is not very satisfactory to tell an auditor that the
operating system is preventing weak passwords but be almost completely unable
to substantiate the c
laim.
Answering my own question for question 3, even though my username is not an
English dictionary word, it was pointed out to me by someone else that my
username *is* in the dictionary that VMS uses. I am of course honoured. (-:
The Answer is :
The OpenVMS source module involved in the default checking for weak
passwords is [CLIUTL]SETPWD.B32 (routine VERIFY_NEW_PWD), and this
module is not among those modules censored from the source listings
media kits. (The vast majority of the OpenVMS system security and
password-related logic is deliberately not expurgated from the
listings media kits.)
The current password filter checks the password dictionary, and includes
explicit checks for the username and the host name as substrings within
the password. Further, a site-specific password policy filtering module
(if present) is also utilized -- the site-specific password policy module
functions in addition to various OpenVMS-based password checks.
Additional weak-password checks may or may not be present within OpenVMS,
and additional weak-checks may or may not be implemented within future
OpenVMS releases or within future ECO kits. (To the knowledge of the
OpenVMS Wizard, details of the current implementation are not documented.)
|
