Hi all can you please guide me how to implement Password security

All of these questions can be answered by careful readin gof chapter 7 of the Guide to Systems Security manual.  With the exception of hte requirement for a punctuation character (of which I am not entiorely sure is supported), all requirements are easily met.  Please read the above referenced manual for a start.  Post here the version of VMS that you are using and further details can be provided.

Dan

Based on that requirements list, your security auditors are probably unfamiliar with OpenVMS and are likely working off a generic cookbook of password recommendations, so your evaluation of their recommendations should include some appropriate degree of skepticism.  Some of the recommendations I've received from security auditors would have disabled OpenVMS.  

As for your list, points 4 and 5 are longstanding default behavior of OpenVMS.   See the security manual in the OpenVMS documentation set for details.  For the other points, see OpenVMS Tips: Password Policy Filters and OpenVMS Tips: Password Policy Filters, Example and Configuring LDAP External Authentication among other postings.  One of those has full source code.

Given the ever-increasing speed of brute-force password matching and the default break-in evasion support within OpenVMS and given the general weakness of passwords, password complexity is arguably tussling with an old (and losing) security battle.   But that's typical of various security audits I've encountered; some of these reviews are little more than a corporate backside-covering issue -- also known as a transfer of liability - than an effort looking for actual and forward-looking security.  (The list you've posted is a common cookbook that these folks work from.)  

I have also useed the larger brute-force password attack dictionaries as site-specific additions into the forbidden-password list.  These dictionaries tend to be five or ten thousand entries that are known and common password choices. Details on that approach are here. 

As for another common brute-force, I haven't encountered a John The Ripper variant implemented in CUDA or OpenCL and running within a GPU (not that I've even looked for it), but I do expect its entirely feasible to brute-force the password hashes.  The speeds of these GPU-based password attacks is prodiguous.   And as for other alternatives to old-school password attacks - if your organization is worth targeting - there are other and easier and very effective ways to get access and get passwords using spearfishing and related techniques (eg: Stuxnet, Duqu, others), but - if you're worth it and your password hashes should get exposed to your attackers, then somebody will create the CUDA or OpenCL code necessary. 

we are using VMS8.3

> 1. Passwords much be set to 8 characters or more.

This is set per user in the UAF with MODIFY/PWDMINIMUM=value

the default default is 6. Change with

UAF> MODIFY DEFAULT/PRDMINIMUM=8

>2. Password complexity must be enabled.

>3. Passwords must include an alpha, a numeric, and a punctuation character.

   You'll need to enable mixed passwords for each account and/or the default:

UAF> MODIFY user/FLAGS=PWDMIX

UAF> MODIFY DEFAULT/FLAGS=PWDMIX

  To enable complexity rules, you'll need a VMS$PASSWORD_POLICY module. A Google search for VMS$PASSWORD_POLICY should find example code, which include instructions. I've also attached a MACRO32 version. You may need to modify the code to implement the policy you require.

> 4. Password re set must not allow one of the last 6 passwords used.

  Set system wide with the system executive logical name SYS$PASSWORD_HISTORY_LIMIT. Default if not defined is 60. You can also defined SYS$PASSWORD_HISTORY_LIFETIME, which is the minimum

 time to password reuse. Default is 365 days. I'd go with the stricter OpenVMS defaults.

> 5. Lock out must be in place after 3 failed log in attempts.

  This is probably not a good idea. You can do it by setting SYSGEN parameters LGI_BRK_LIM to 3 and LGI_BRK_DISUSER to 1. However, this opens you up to DOS attacks - it's trivially easy to lock out one of your users, and 3 retries isn't sufficient for normal fumble fingers. Personally, I'd increase the limit from the default of 5 to about 20, and increase LGI_HID_TIM to a few hours. That will be more than sufficient to protect againt brute force attacks, give you plenty of warning from audit logs, but still give folk plenty of room for mistyping.

Thanks much folks for the solution .

Please consider adding some "kudo's" and perhaps mark a specific reply as providing the solution.

Cheers, Hein.

Hi All,

Could any body please tell how to implement vms$password_policy_mar.txt 9 KB as attached by John Gillings

 I created a  file  using  create command

$ create VMS$PASSWORD_Policy.mar 

then copied the contents of above mentioned file by John....then below

$ MACRO VMS$PASSWORD_POLICY ---> it created VMS$PASSWORD_POLICY.OBJ; under my home dirrectry .

But when i try to link it gives error as below, please advise

then

$LINK/SHAREABLE/SYSEXE VMS$PASSWORD_POLICY+SYS$INPUT:/OPTION-
_$> SYMBOL_VECTOR=(POLICY_PLAINTEXT=PROCEDURE,POLICY_HASH=PROCEDURE)
%DCL-W-MAXPARM, too many parameters - reenter command with fewer parameters
 \SYMBOL_VECTOR\

Could anybody guide step by step ,as I am novice to MACRO programming but still want test this Password policy on VMS system ..your response will help me a lot on this..I am using Open VMS8.3 OS

You have apparently somehow added spurious hyphen at the end of the LINK command; an errant continuation character after the /OPTION qualifier.

Remove that hyphen.

The command is intended to read its options data (the shareable image symbol declarations) from the command input SYS$INPUT device, but that hyphen caused DCL to see that data as additional parameters on the command.

Hi Hoff,

That hyphen is for continuation of a single on the next line...I don't think that's error. Please advise.

Regards

Prakash

Prakash,

Hoff is correct.

The command line ends with SYS$INPUT/OPTION

Therefore no hyphen.

the following line is not part of the COMMAND line - but is actually the start of the option file defined as SYS$INPUT

Duncan

Rather than your reply here, it would have taken you rather less time to have removed that hyphen and tested the command as was suggested, or cut and pasted the command from the comments and tested that, no?

I've already explained why that hyphen is wrong.

I'll try again.

A hyphen is for a command continuation.

That symbol vector chatter is not a command continuation.  

It is some data that will be read by the program.  

That data could be located in an external file but both for bevity and to avoid scattering the operations over multiple files, the data was placed in the command input stream (SYS$INPUT) for the application (the LINKER) to read, and the application was told its data was available at SYS$INPUT.  

The application will then read that data until the End Of File (EOF) (a line beginning with the $ sign, by default, in the command input stream) and processes it according to the application's programming.

There is no hyphen, because the data is not part of the DCL command, any more than any particular application input file is part of a DCL command or program invocation.

Read the OpenVMS User's Manual, in the OpenVMS documentation set.  That document provides an introduction and general explaination of DCL syntax.  This command syntax is clearly a little more advanced than might be familiar to you.

Hi Haff/All,

Sorry for your precious time, got the point. but indeed i tried before replying also.

ran with no hypen, still no success. It stays in same status for long time then if press any thing line letter "a" as below or any thing...it shows error as below.

$LINK/SHAREABLE/SYSEXE VMS$PASSWORD_POLICY+SYS$INPUT:/OPTIONS
SYMBOL_VECTOR=(POLICY_PLAINTEXT=PROCEDURE,POLICY_HASH=PROCEDURE)

.
a
%LINK-F-OPENIN, error opening PROG01:[SYS_PRAKASH]A.OBJ; as input
-RMS-E-FNF, file not found

If you're entering the linker command (plus the data line) interactively, close the data line with a press of Ctrl-Z.

The lines as shown work when put in a DCL procedure file.

HTH

Martin 

Hi Matin, Haff,

Thanks for your help...I think I should have checked by home directory before replying....thanks for your help.

it's working now...

$ dir vms*/da/siz

Directory USERDISK:[SYS_PRAKASH] 

VMS$PASSWORD_POLICY.EXE;3                            7   1-DEC-2011 17:22:24.15
VMS$PASSWORD_POLICY.EXE;2                            7   1-DEC-2011 14:59:34.32
VMS$PASSWORD_POLICY.EXE;1                           7   1-DEC-2011 14:44:03.73
VMS$PASSWORD_POLICY.MAR;1                          18  30-NOV-2011 16:54:00.12
VMS$PASSWORD_POLICY.OBJ;1                           4  30-NOV-2011 16:55:52.50

But one more help....my environment requires 

Passwords must include an alpha, a numeric, and a punctuation character. Please advise what are lines I need to uncomment...if possible, as i know less on Assembly codes/Macro... Please

CharTab:  ; ASCII table, defines character types
          ;  Confirm that the following table of ASCII characters matches
          ;  your local requirements before deployment of this module.
          ;
          ;  1 = Control
          ;  2 = Special
          ;  3 = Numeric
          ;  4 = Uppercase
          ;  5 = Lowercase
          ;  6 = Invalid
          ;
          ;   NUL SOH STX ETX EOT ENQ ACK BEL BS  HT  LF  VT  FF  CR  SO  SI
.BYTE 6,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1
          ;
          ;   DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM  SUB ESC FS  GS  RS  US
.BYTE 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1
          ;
          ;   SP  !   "   #   $   %   &   '   (   )   *   +   ,   -   .   /
.BYTE 1,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2,  2
          ;
          ;   0   1   2   3   4   5   6   7   8   9   :   ;   <   =   >   ?
.BYTE 3,  3,  3,  3,  3,  3,  3,  3,  3,  3,  2,  2,  2,  2,  2,  2
          ;
          ;   @   A   B   C   D   E   F   G   H   I   J   K   L   M   N   O
.BYTE 2,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4
          ;
          ;   P   Q   R   S   T   U   V   W   X   Y   Z   [   \   ]   ^   _
.BYTE 4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  4,  3,  3,  3,  3,  3         
          ;
          ;   `   a   b   c   d   e   f   g   h   i   j   k   l   m   n   o
.BYTE 3,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5
          ;
          ;   p   q   r   s   t   u   v   w   x   y   z   {   |   }   ~   DEL
.BYTE 5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  5,  3,  3,  3,  3,  6

The table you cited tells the program which class (Control, Special, etc.) each character belongs to. Further down in the MACRO source each incoming character is counted according to the table. After that comes a series of tests - these tests implement your password policy. Remove the comment characters (the leading semicolons) from each of the tests that you want the program to use:

; uncomment and/or alter the following code to make decisions
; based on the required password policy around the characters
; present in the password.
;
; TSTL CountSpecial
; BEQL bad
; TSTL CountNumeric
; BEQL bad
; TSTL CountUpper
; BEQL bad
; TSTL CountLower
; BEQL bad

(each test consists of oneTSTL line and the following BEQL line)

HTH,

Martin

You might also want to alter the classification of some of those special characters.

As the table currently stands, several of the "punctuation" characters are in class 3 (numeric) rather than class 2 (special).

For example:  [ \ ] ^ _ are set as class 3, as are { | } ~

For one particular client I have amended the tables to change these, and to allow the UK pound sign. We also disallowed the quote characters to avoid problems with scripts and decnet.

I have attached the modified table.

We also allowed the user to use any 3 of uppercase, lowercase, numeric, and special characters, as some 3rd party software could not handle mixed case alphabetics. This is reflected in the code snippet after the table.

For your stated requirement, you could use:

        TSTL CountSpecial
        BEQL bad
        TSTL CountNumeric
        BEQL bad
        ADDL3 CountUpper, CountLower, R4
        BEQL bad

Duncan

Difficulty in adding attachment , hence type the program

Ankur>type VMS$PASSWORD_POLICY.CXX;1
/**************************************************************************|
| Program     - VMS$PASSWORD_POLICY.CXX                                    |
| System      - OpenVMS Alpha 8.3                                          |
| Function    - Enfore Password Policy for password change                 |
|                                                                          |
| Date        - 30-Apr-12                                                  |
| Author(s)   - Ankur Saxena  (VMS Admin)                                  |
| Description - This program enforces Specific Password Policy      |
|          for all the users who tries to change password on TOS           |
|**************************************************************************/
/**************************************************************************|
|       --------------------                                               |
|       Modification History                                               |
|       --------------------                                               |
|       Version Date            Initial Amendment                          |
|       ======= ====            ======= =========                          |
|                                                                          |
|**************************************************************************/
#include <iostream>         /* Standard C++ Definitions    */
#include <ctype.h>          /* ispunct , isdigit , isalpha */
#include <starlet.h>        /* System Service Prototypes   */
#include <stdio.h>          /* printf                      */
#include <descrip.h>        /* Descriptor Definitions      */
#include <ssdef.h>          /* SS$_ Message Codes          */
#include <str$routines.h>   /* OpenVMS prototype files     */
/*
| The Below function overrides the global function "Policy_plaintext"
| called for "SET PASSWORD" command
*/
extern "C" int policy_plaintext( struct dsc$descriptor *password, struct dsc$des
criptor *username )
{
int len   = password->dsc$w_length;
char *str = password->dsc$a_pointer;
int i;
int ltr   = 0;
int numb  = 0;
int symb  = 0;
for(i=0;i<len;i++)
{
if(isalpha(str[i]))      ltr  += 1;
else if(isdigit(str[i])) numb += 1;                                            
    
else if(ispunct(str[i])) symb += 1;
}
if (ltr == 0 || numb == 0 || symb == 0)
{
printf("\nPassword must have mix of Alpha, Numeric and Punctuation characters( $
 or _ )\n" );
return SS$_PWDWEAK;
}
else
{
printf("\nPassword ok for %s",username->dsc$a_pointer);
return SS$_NORMAL;
}
}
/*
| The Below function overrides the global function "policy_hash"
| called for "SET PASSWORD" command
*/
extern "C" int policy_hash( int password[2], struct dsc$descriptor *username )
{
    return SS$_NORMAL;
}