HPE Community
Operating System - OpenVMS
1751914 Members
5159 Online
108783 Solutions
New Discussion юеВ

Re: alphanumeric passwords

 
SOLVED
Go to solution
Melinda Chan
Advisor

тАО04-28-2005 12:31 PM

тАО04-28-2005 12:31 PM

alphanumeric passwords

Hello
quick question. I've looked at the OpenVMS Guide to System Security and can't seem find any reference as to whether it is possible to make users set only alphanumeric passwords.

Is this possible?

thanks
0 Kudos
8 REPLIES 8
Hein van den Heuvel
Honored Contributor

тАО04-28-2005 02:11 PM

тАО04-28-2005 02:11 PM

Solution

Re: alphanumeric passwords

>> whether it is possible to make users set only alphanumeric passwords.


As opposed to what? This is in fact pretty much the default VMS setup already. Per security guide ( http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl ) :
"OpenVMS passwords are limited to the 7-bit ASCII characters A-Z, 0-9, _, and $." They are case insensitive.
That same chapter talks about soem more siginin flags and Lanmanager alternatives.

YOu can also create "Site-Specific Filters"
From the security guide:

"Besides screening passwords against a system dictionary and a history list, you can develop a site-specific password filter to ensure that passwords are properly constructed and are not words readily associated with your site. A filter can check for password length, the use of special characters or combinations of characters, and the use of product names or personnel names.

To create a list of site-specific words, you write the source code, create a shareable image, install the image, and, finally, enable the policy by setting a system parameter. See the HP OpenVMS Programming Concepts Manual for instructions"

hth,
Hein.


0 Kudos
Melinda Chan
Advisor

тАО04-28-2005 04:19 PM

тАО04-28-2005 04:19 PM

Re: alphanumeric passwords

Sorry, should have been a little more clearer.

>>As opposed to - characters only.

Is it possible to enforce a user to pick a password that includes numbers as well as characters and not just characters alone?

I already have a password dictionary in use with site specific words included.
0 Kudos
Hein van den Heuvel
Honored Contributor

тАО04-28-2005 04:56 PM

тАО04-28-2005 04:56 PM

Re: alphanumeric passwords

Well, that really is what that password filter mechanisme is created for. It is supposed to be documented between the security manual, and the programming concepts (pdf part 2: 32.10.2 Installing Filters for Site-Specific Password Policies)

Admittedly the concepts manual is a little off-putting "Bliss and Ada examples of the policy module├в s interface, called
VMS$PASSWORD_POLICY.*, are located in SYS$EXAMPLES.... on a VAX system"
Not exactly top-3 popular languages or machine architecture at this point in time.

Google for +openvms +"password filter" will find 'wizard' articles, faq's and doc references, but admittedly i did not spot a 'good to go' example.

hth,
Hei
0 Kudos
Hein van den Heuvel
Honored Contributor

тАО04-29-2005 06:51 AM

тАО04-29-2005 06:51 AM

Re: alphanumeric passwords


Here is a trivial, working, example in C.
Admittedly the error handling is NOT up to VMS standards.

Hein.


$create PASSWORD_POLICY.c
#include ctype
#include stdio
typedef struct {short len, typ; char *addr;} desc;
int policy_hash (void *hash, void *user) { return 1; }
int policy_plaintext ( desc *pass, desc *user ) {
/* printf ("pass=%*s, user=%*s\n", pass->len, pass->addr, user->len, user->addr); */
char *p, *end;
p = pass->addr;
end = p + pass->len;
while (p < end) {
if (isdigit( *p++ )) { return 1 ;}
}
printf ("\nPassword refused. Must contain at least one digit.\n");
return 16; /* hack */
}
$
$ cc PASSWORD_POLICY
$
$ link/share PASSWORD_POLICY, sys$input:/opt
symbol_vector=(policy_hash=PROCEDURE,policy_plaintext=PROCEDURE)
$
$ copy PASSWORD_POLICY.exe sys$library:vms$PASSWORD_POLICY.exe /prot=(w:re)
$
$ instal replace sys$library:vms$PASSWORD_POLICY/open/head/share
$
$ sysgen
SYSGEN> USE ACTIVE
SYSGEN> SET LOAD_PWD_POLICY 1
SYSGEN> WRITE ACTIVE
SYSGEN> EXIT
$
$ set pass
Old password:
New password:
Verification:

Password refused. Must contain at least one digit.
%SYSTEM-F-BADPARAM, bad parameter value
$
$ set pass
Old password:
New password:
Verification:
%SET-F-PWDNOTVAL, old password validation error; password not changed
$ set pass
Old password:
New password:
Verification:
0 Kudos
John Gillings
Honored Contributor

тАО05-02-2005 02:02 PM

тАО05-02-2005 02:02 PM

Re: alphanumeric passwords

:-)

Ha! Hein made the same mistake as I did when asked the same question last year. His code checks that there is at least one digit, but it doesn't check that there is at least one alphabetic as well. So an all numeric password will pass the test. Sure, it's what was asked for, but perhaps not what was really wanted?

The attachment is an example written in MACRO (for those who don't have C licenses)
which checks that the password contains both alpha and numeric characters.

A crucible of informative mistakes
0 Kudos
Hein van den Heuvel
Honored Contributor

тАО05-02-2005 04:06 PM

тАО05-02-2005 04:06 PM

Re: alphanumeric passwords

Oh, I absolutely realized that it just tested for a digit, but that was asked :-).
I was tempted to write the example as a test for at least two alpha / digit transition. But then where does a basic example stop and a solution start.
If I had to write this for real I would actually start my adding a serious of 'obvious' passwords test. If I was presented with xxxxxxNN then I'd see is xxxxxx(NN-1)was valid to catch the jokers that try to change password01 to password02. And I'd scan for years, and month names in a few languages. Of course that would not be a simple lexical test. You would actually have to try that password (or hash it).

I like John's ss$_pwdweak return. Much nicer than ss$_param.

Cheers,
Hein.

(Btw Melinda, that's enough points already for one question. Thanks! And welcome to the forum!)
0 Kudos
Melinda Chan
Advisor

тАО05-04-2005 10:48 AM

тАО05-04-2005 10:48 AM

Re: alphanumeric passwords

Much appreciated
0 Kudos
Dave Laurier
Frequent Advisor

тАО07-31-2006 07:20 PM

тАО07-31-2006 07:20 PM

Re: alphanumeric passwords

Just for the people who are interested in this stuff and who find it hard to extend the example in MACRO. I have created an example in C which is equivalent to the MACRO code from John Gillings (including OpenVMS error handling).

In the example the password is checked to contain both alphabetic and numeric characters.

This behavior can easily be modified by adapting the following lines in the source code:

1. Text of error message

static const $DESCRIPTOR (desc_error_msg, "%SYSTEM-F-BADPWD, password policy requires alphabetic and numeric characters");

2. Actual filter

if ((!b_found_alpha) ||
(!b_found_digit))

For example, if one like to also check for uppercase and lowercase characters to be present:

1. Text of error message

static const $DESCRIPTOR (desc_error_msg, "%SYSTEM-F-BADPWD, password policy requires alphabetic, uppercase, lowercase and numeric characters");

2. Actual filter

if ((!b_found_alpha) ||
(!b_found_upper) ||
(!b_found_lower) ||
(!b_found_digit))
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.