alphanumeric passwords (123 Views)
Reply
Advisor
Melinda Chan
Posts: 14
Registered: ‎01-04-2004
Message 1 of 9 (123 Views)
Accepted Solution

alphanumeric passwords

Hello
quick question. I've looked at the OpenVMS Guide to System Security and can't seem find any reference as to whether it is possible to make users set only alphanumeric passwords.

Is this possible?

thanks
Please use plain text.
Honored Contributor
Hein van den Heuvel
Posts: 6,585
Registered: ‎05-19-2003
Message 2 of 9 (123 Views)

Re: alphanumeric passwords

>> whether it is possible to make users set only alphanumeric passwords.


As opposed to what? This is in fact pretty much the default VMS setup already. Per security guide ( http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl ) :
"OpenVMS passwords are limited to the 7-bit ASCII characters A-Z, 0-9, _, and $." They are case insensitive.
That same chapter talks about soem more siginin flags and Lanmanager alternatives.

YOu can also create "Site-Specific Filters"
From the security guide:

"Besides screening passwords against a system dictionary and a history list, you can develop a site-specific password filter to ensure that passwords are properly constructed and are not words readily associated with your site. A filter can check for password length, the use of special characters or combinations of characters, and the use of product names or personnel names.

To create a list of site-specific words, you write the source code, create a shareable image, install the image, and, finally, enable the policy by setting a system parameter. See the HP OpenVMS Programming Concepts Manual for instructions"

hth,
Hein.


Please use plain text.
Advisor
Melinda Chan
Posts: 14
Registered: ‎01-04-2004
Message 3 of 9 (123 Views)

Re: alphanumeric passwords

Sorry, should have been a little more clearer.

>>As opposed to - characters only.

Is it possible to enforce a user to pick a password that includes numbers as well as characters and not just characters alone?

I already have a password dictionary in use with site specific words included.
Please use plain text.
Honored Contributor
Hein van den Heuvel
Posts: 6,585
Registered: ‎05-19-2003
Message 4 of 9 (123 Views)

Re: alphanumeric passwords

Well, that really is what that password filter mechanisme is created for. It is supposed to be documented between the security manual, and the programming concepts (pdf part 2: 32.10.2 Installing Filters for Site-Specific Password Policies)

Admittedly the concepts manual is a little off-putting "Bliss and Ada examples of the policy moduleâ s interface, called
VMS$PASSWORD_POLICY.*, are located in SYS$EXAMPLES.... on a VAX system"
Not exactly top-3 popular languages or machine architecture at this point in time.

Google for +openvms +"password filter" will find 'wizard' articles, faq's and doc references, but admittedly i did not spot a 'good to go' example.

hth,
Hei
Please use plain text.
Honored Contributor
Hein van den Heuvel
Posts: 6,585
Registered: ‎05-19-2003
Message 5 of 9 (123 Views)

Re: alphanumeric passwords


Here is a trivial, working, example in C.
Admittedly the error handling is NOT up to VMS standards.

Hein.


$create PASSWORD_POLICY.c
#include ctype
#include stdio
typedef struct {short len, typ; char *addr;} desc;
int policy_hash (void *hash, void *user) { return 1; }
int policy_plaintext ( desc *pass, desc *user ) {
/* printf ("pass=%*s, user=%*s\n", pass->len, pass->addr, user->len, user->addr); */
char *p, *end;
p = pass->addr;
end = p + pass->len;
while (p < end) {
if (isdigit( *p++ )) { return 1 ;}
}
printf ("\nPassword refused. Must contain at least one digit.\n");
return 16; /* hack */
}
$
$ cc PASSWORD_POLICY
$
$ link/share PASSWORD_POLICY, sys$input:/opt
symbol_vector=(policy_hash=PROCEDURE,policy_plaintext=PROCEDURE)
$
$ copy PASSWORD_POLICY.exe sys$library:vms$PASSWORD_POLICY.exe /prot=(w:re)
$
$ instal replace sys$library:vms$PASSWORD_POLICY/open/head/share
$
$ sysgen
SYSGEN> USE ACTIVE
SYSGEN> SET LOAD_PWD_POLICY 1
SYSGEN> WRITE ACTIVE
SYSGEN> EXIT
$
$ set pass
Old password:
New password:
Verification:

Password refused. Must contain at least one digit.
%SYSTEM-F-BADPARAM, bad parameter value
$
$ set pass
Old password:
New password:
Verification:
%SET-F-PWDNOTVAL, old password validation error; password not changed
$ set pass
Old password:
New password:
Verification:
Please use plain text.
Honored Contributor
John Gillings
Posts: 2,992
Registered: ‎07-31-2003
Message 6 of 9 (123 Views)

Re: alphanumeric passwords

:-)

Ha! Hein made the same mistake as I did when asked the same question last year. His code checks that there is at least one digit, but it doesn't check that there is at least one alphabetic as well. So an all numeric password will pass the test. Sure, it's what was asked for, but perhaps not what was really wanted?

The attachment is an example written in MACRO (for those who don't have C licenses)
which checks that the password contains both alpha and numeric characters.

A crucible of informative mistakes
Please use plain text.
Honored Contributor
Hein van den Heuvel
Posts: 6,585
Registered: ‎05-19-2003
Message 7 of 9 (123 Views)

Re: alphanumeric passwords

Oh, I absolutely realized that it just tested for a digit, but that was asked :-).
I was tempted to write the example as a test for at least two alpha / digit transition. But then where does a basic example stop and a solution start.
If I had to write this for real I would actually start my adding a serious of 'obvious' passwords test. If I was presented with xxxxxxNN then I'd see is xxxxxx(NN-1)was valid to catch the jokers that try to change password01 to password02. And I'd scan for years, and month names in a few languages. Of course that would not be a simple lexical test. You would actually have to try that password (or hash it).

I like John's ss$_pwdweak return. Much nicer than ss$_param.

Cheers,
Hein.

(Btw Melinda, that's enough points already for one question. Thanks! And welcome to the forum!)
Please use plain text.
Advisor
Melinda Chan
Posts: 14
Registered: ‎01-04-2004
Message 8 of 9 (123 Views)

Re: alphanumeric passwords

Much appreciated
Please use plain text.
Frequent Advisor
Dave Laurier
Posts: 57
Registered: ‎02-28-2006
Message 9 of 9 (123 Views)

Re: alphanumeric passwords

Just for the people who are interested in this stuff and who find it hard to extend the example in MACRO. I have created an example in C which is equivalent to the MACRO code from John Gillings (including OpenVMS error handling).

In the example the password is checked to contain both alphabetic and numeric characters.

This behavior can easily be modified by adapting the following lines in the source code:

1. Text of error message

static const $DESCRIPTOR (desc_error_msg, "%SYSTEM-F-BADPWD, password policy requires alphabetic and numeric characters");

2. Actual filter

if ((!b_found_alpha) ||
(!b_found_digit))

For example, if one like to also check for uppercase and lowercase characters to be present:

1. Text of error message

static const $DESCRIPTOR (desc_error_msg, "%SYSTEM-F-BADPWD, password policy requires alphabetic, uppercase, lowercase and numeric characters");

2. Actual filter

if ((!b_found_alpha) ||
(!b_found_upper) ||
(!b_found_lower) ||
(!b_found_digit))
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation