ted@nieland.DAYTON.OH.US (Ted Nieland) (01/24/91)
The following article can be freely republished in any DECUS Publication, including all LUG Newsletters. Additional Bad Passwords by Ted Nieland In the VMS 5.4 operating system, DEC has added a new security feature to screen passswords before they are set by checking them against a dictionary that is supplied by DEC. There is also a built-in hook to allow system programmers to add additional checks through a module DEC calls a VMS Password Policy. However, the DEC dictionary is far from complete. This new security feature is a new way of enhancing security without resorting to the system generated passwords that is a requirement in many OS security specifications. The new feature, recommended by DECUS members to DEC, allows security for passwords, without forcing passwords on users that they end up writing down and posting on their terminals. Recently, under the alt.security newsgroup on USENET a message was posted having to do with common passwords. The passwords listed were from "A Novice's Guide to Hacking- 1989 Edition". This was a very complete list of bad passwords, having both names and other common words. However, a comparison between this list and the DEC supplied dictionary shows a few words on this common password list that aren't in DEC's dictionary. These passwords are: guessit asshole badass compareall condom debbie deborah eatme mogul reagan I expect that in a future release that DEC will add these words (and more) to their dictionary, but until then people may want to use a Password Policy module that utilizes a secondary dictionary to add these words to a check list. I have submitted a password policy module that allows for a secondary dictionary to the VAX SIG Tape and it has been posted to VMSNET.SOURCES on the VMSNET network.
mark@sickkids.toronto.edu (Mark Bartelt) (02/01/91)
| However, a | comparison between this list and the DEC supplied dictionary shows a few words | on this common password list that aren't in DEC's dictionary. These | passwords are: | | guessit | asshole | badass | compareall | condom | debbie | deborah | eatme | mogul | reagan OK, I can understand why DEC might be embarrassed to ship its corporate bigwig customers a component of VMS with something like "asshole" buried inside, but who on earth is Deborah, and what is special about her name? Were those names the only ones on the original list? Or did that list contain others, of which only "deb{bie,orah}" were elided by KO's henchmen? And whichever the case, why? Inquiring minds hunger for enlightenment.