HPE Community
Operating System - HP-UX
1834078 Members
2409 Online
110063 Solutions
New Discussion

looking for a tool to prevent users entering guessable password.

 
Hanry Zhou
Super Advisor

‎06-16-2004 03:46 AM

‎06-16-2004 03:46 AM

looking for a tool to prevent users entering guessable password.

Hi,

I am looking for a replacement for the "passwd" command for UNIX, and also it has to work with login process. By using this tool, all new passwords that users enter in(when they want to make the change, or when they are forced to change) are stringently screened to decrease the chance of having passwords vulnerable to guessing by programs such as Crack.

We have found "npasswd", but it could not work with 11i systems.

Anybody has any idea
none
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎06-16-2004 03:54 AM

‎06-16-2004 03:54 AM

Re: looking for a tool to prevent users entering guessable password.

See the file i'm attaching.

/etc/default/security

This configuration will require 1 Capital letter and at least one number.

If you increase the numeric requirement and or the capital requierment, you can make it next to impossible for the user to use a guessable password.

You might want to consider using crack to check your /etc/passwd file. Then the guessed user id can actually be disabled automatically.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎06-16-2004 03:57 AM

‎06-16-2004 03:57 AM

Re: looking for a tool to prevent users entering guessable password.

Hi Hanry,

I would suggest you to use '/etc/default/security' file to include password construction restrictions first so that users will not be able to set weak passwords. For ex., atleast one special character, one uppercase, one lowercase etc.,. Look at man 'security' for more details. If you convert the systems to trusted, there will be a lot more control on the accounts at the cost of little inconvenience to the users.

Run Crack on the passwords and expire the user accounts that have guessed passwords. Notify them to immediately change their passwords. When they set teh passwords next time, they would'nt be able to select weak passwords.

Then continuously run the Crack to identify weak passwords time to time.

But I wouldn't do a password checking during the login process. It's because the check may take a long time and it may frustate the users.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Fred Ruffet
Honored Contributor

‎06-16-2004 03:57 AM

‎06-16-2004 03:57 AM

Re: looking for a tool to prevent users entering guessable password.

Two things :
Use pam and shadow.

pam gives you a way of verifying weakness of passwords.

shadowing will make appear only in /etc/passwd a star in place of the password, and system relies on second file (/etc/shadow) to verify passwords. This file can only be read by root.

Both pam and shadow may already be installed on your server. They can be activated manaully one by one, or by converting your system to trusted using sam.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
0 Kudos
Reply
RAC_1
Honored Contributor

‎06-16-2004 03:58 AM

‎06-16-2004 03:58 AM

Re: looking for a tool to prevent users entering guessable password.

Yu can replace the passwd command with some script which will check the new password for the criterion that you set and then pass on the control to passwd command. There are some perl scripts around that do this.

Other option is, if you have trusted system, you can control the password generation to some extend. i.e. options
rstrpw restricted passwords - checked for triviality

syspnpw system generates pronounceable passwords

admnum administrative number assigned

syschpw system generates character only passwords

sysltpw system generates letter only passwords

Read the man pages of getprpw and modprpw

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Mel Burslan
Honored Contributor

‎06-16-2004 04:53 AM

‎06-16-2004 04:53 AM

Re: looking for a tool to prevent users entering guessable password.

bulletproof but not free option is to use a product called pwplus. there is a procedure called medusa which comes with the product, which scans the passwords for crackable password combinations and reports them. It is clever enough to make character to number substitutions and is aware of common words in many different languages.

for instance lets say, you selected your password to be "freebird" but since it is crackable, you changed some letters to numbers and made it fr3eb1rd. Under pwplus this still does not pass the check.
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎06-16-2004 10:35 AM

‎06-16-2004 10:35 AM

Re: looking for a tool to prevent users entering guessable password.

Mel,

the product you are talking about seems the one we are looking for.

But, where I can get more infor about it, can you please provide the URL for me?

none
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎06-17-2004 01:04 AM

‎06-17-2004 01:04 AM

Re: looking for a tool to prevent users entering guessable password.

all,

thanks for the mssage.

/etc/default/security can help me some, but it can not satisfy me completely. For, instance, the user still can type the password like "Dogdog^1" even though I can define one or more Caps, number, or special characters, and "Dogdoc^1" is the password could be cracked.

The main think is missing from /etc/default/security is the dictionary.

What Mel suggested in his post seems to be the one we are interested in, but unfortunatelly, I could not find any information about it on the web site. If he or anyone else know the prodcut "pwplus", and who is the vendor, where I can get more infor, please let me know.
none
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎06-17-2004 07:26 AM

‎06-17-2004 07:26 AM

Re: looking for a tool to prevent users entering guessable password.

Does anybody else know of the product "pwplus"? and where I can get the it?
none
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.