ted@nieland.DAYTON.OH.US (Ted Nieland) (01/24/91)
The following article can be freely republished in any DECUS Publication, including all LUG Newsletters. Additional Bad Passwords by Ted Nieland In the VMS 5.4 operating system, DEC has added a new security feature to screen passswords before they are set by checking them against a dictionary that is supplied by DEC. There is also a built-in hook to allow system programmers to add additional checks through a module DEC calls a VMS Password Policy. However, the DEC dictionary is far from complete. This new security feature is a new way of enhancing security without resorting to the system generated passwords that is a requirement in many OS security specifications. The new feature, recommended by DECUS members to DEC, allows security for passwords, without forcing passwords on users that they end up writing down and posting on their terminals. Recently, under the alt.security newsgroup on USENET a message was posted having to do with common passwords. The passwords listed were from "A Novice's Guide to Hacking- 1989 Edition". This was a very complete list of bad passwords, having both names and other common words. However, a comparison between this list and the DEC supplied dictionary shows a few words on this common password list that aren't in DEC's dictionary. These passwords are: guessit asshole badass compareall condom debbie deborah eatme mogul reagan I expect that in a future release that DEC will add these words (and more) to their dictionary, but until then people may want to use a Password Policy module that utilizes a secondary dictionary to add these words to a check list. I have submitted a password policy module that allows for a secondary dictionary to the VAX SIG Tape and it has been posted to VMSNET.SOURCES on the VMSNET network.
mark@sickkids.toronto.edu (Mark Bartelt) (02/01/91)
| However, a | comparison between this list and the DEC supplied dictionary shows a few words | on this common password list that aren't in DEC's dictionary. These | passwords are: | | guessit | asshole | badass | compareall | condom | debbie | deborah | eatme | mogul | reagan OK, I can understand why DEC might be embarrassed to ship its corporate bigwig customers a component of VMS with something like "asshole" buried inside, but who on earth is Deborah, and what is special about her name? Were those names the only ones on the original list? Or did that list contain others, of which only "deb{bie,orah}" were elided by KO's henchmen? And whichever the case, why? Inquiring minds hunger for enlightenment.
nieland_t@kahuna.asd-yf.wpafb.af.mil (02/05/91)
In article <436@sickkids.UUCP>, mark@sickkids.toronto.edu (Mark Bartelt) writes: > > OK, I can understand why DEC might be embarrassed to ship its corporate > bigwig customers a component of VMS with something like "asshole" buried > inside, but who on earth is Deborah, and what is special about her name? > Were those names the only ones on the original list? Or did that list > contain others, of which only "deb{bie,orah}" were elided by KO's henchmen? > And whichever the case, why? Inquiring minds hunger for enlightenment. 1) There were many names on the original list. The debbie/deborah just didn't make it into the DEC dictionary. First names of any type are basically a no-no for passwords. DEC just didn't a good enough list a names in their dictionary. 2) Certain words are not taboo to be put in the dictionary a good number of the four letter variety (including f*ck) are already there. Ted Nieland nieland_t@kahuna.asd-yf.wpafb.af.mil Control Data Corporation nieland@dayfac.cdc.com (513) 427-6355 ted@nieland.dayton.oh.us
pmkatz@axion.bt.co.uk (Philip Katz) (02/05/91)
From article <436@sickkids.UUCP>, by mark@sickkids.toronto.edu (Mark Bartelt): > OK, I can understand why DEC might be embarrassed to ship its corporate > bigwig customers a component of VMS with something like "asshole" buried > inside, Actually, VMS ships with a complete list of swear words, in a variety of languages!. These are used internally to ensure that generated passwords don't offend anyone. It is quite easy to access and decipher them ... they are all stored rot-1 ! I remember posting the words I didn't know to comp.os.vms some time ago and getting many replies from around the world telling me what the various words meant and in what languages !! ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: : Philip Katz, :: e-mail Katz_P_M@bt-web.bt.co.uk : : British Telecom Research Laboratories :: 'phone + 44 473 645672 : : RT1264, B68, Room 17, Martlesham Heath :: fax + 44 473 637550 : : Ipswich, Suffolk, England IP5 7RE :: : :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::