Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Weak Password Testing

 
SOLVED
Go to solution
djk
Advisor

Weak Password Testing

I need to verify that VMS user passwords are not too weak and create a security vulnerability. My companies audit group suggest using a Password Scanning/Cracking program that will detect weak user passwords.

The UAF parameters are setup for min length, etc to ensure pwd rules are enforced but I still need to conduct a test to verify good pwd security.

I am looking for suggestions from others who have have processes in use to verify that user passwords are appropriately structured to ensure strong pwd security.
24 REPLIES 24
John Gillings
Honored Contributor
Solution

Re: Weak Password Testing

djk,

There are enough hooks in OpenVMS to allow you to insert your own, arbitrary policies to test for password strength.

Remember, by default VMS imposes length and basic substring checks for username and node name and checks against the password dictionary (which you are free to extend or replace - see SYS$SYSTEM:VMS$PASSWORD_HISTORY.DATA), .

There are probably password scan/crack utilities around, but they tend to be extremely resource heavy, because the only feasible mechanism is brute force. I doubt anyone in this forum would make one available in response to a random query. There are security implications!

A much simpler mechanism would be to implement a password policy module to apply whatever policy your audit group require, then expire all users passwords. Next time they login, they will be forced to update their password to conform with the new policies.

If you search this forum for "VMS$PASSWORD_POLICY" you should be able to find a copy of an example program (I posted a MACRO32 example a while back).
A crucible of informative mistakes
djk
Advisor

Re: Weak Password Testing

Thanks for response. Your suggestions are good and offer good control on the front end. What I need is the ability to "test" the control to prove to the audit group no weak pwd's exist (even though there shouldn't be because of the front end control).
Andy Bustamante
Honored Contributor

Re: Weak Password Testing

VMS has intrusion detection and blocking enabled by default. From the VMS Guide to System Security at http://h71000.www7.hp.com/doc/732final/aa-q2hlg-te/aa-q2hlg-te.html

The operating system is sensitive to login failures. Afterone failure, it begins to monitor the terminal, terminal serverconnection, or network connection where the login is taking place.At first, the operating system records unsuccessful logins in anintrusion database. As failures continue, the operating system not onlyrecords failures but takes restrictive measures. The person attemptinglogin is monitored more closely and limited to a certain numberof login retries within a limited period of time. Once a personexceeds either the retry or time limitation, he or she cannot login for a while, even with a valid user name and password. At a laterpoint, the restriction eases, and login is allowed once again.

You'll need to disable intrusion detection while any password scan is running. As far as running the scan, perhaps your auditors can provide a utility. Of course disabling intrusion detection may be an issue in later audits.

One low cost quick to deploy option may be to use a terminal emulation package with scripting support. Kermit comes to mind. There are consultants to found, some will be following up in this thread.


Andy
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
Hein van den Heuvel
Honored Contributor

Re: Weak Password Testing

Andy>> You'll need to disable intrusion detection while any password scan is running.

Nah, leave it on! It is on right? Only fair.

I would explain the password rule already in place, and then have `them' explain how that is not good enough, and how they propose to test to their satisfaction. No handwaving. Have `them' be specific to their (perceived?) needs and then set out to honor those. Surely `they' are not going to just accpet a test you and I dream up no?
Make the requiremenents specific: interactive, network, oracle, attunity, MQ,..

I suspect more than 1/2 of the ( non-generated ) passwords in this world are weak, in the sense that they encorprate a predictable sequence based on the last password.
You tell me the number in the prior password, and I can predict the next password :-(. You can easily extend OpenVMS to protect against that, using the new-password intercept John referred to. Just take the new password, and try to validate it against the current password 2*N times where N is the number of characters provided. For eacht character try once try the value one lower, and once the value one lower. Watch in horror? No matter how 'strong' the password looks, if it is based on the prior, then it is weak.

Good luck!
Hein.


Hoff
Honored Contributor

Re: Weak Password Testing