[vmsnet.sysmgt] Additional Bad Passwords not in VMS 5.4

ted@nieland.DAYTON.OH.US (Ted Nieland) (01/24/91)

The following article can be freely republished in any DECUS Publication, 
including all LUG Newsletters.

		Additional Bad Passwords
		    Ted Nieland

In the VMS 5.4 operating system, DEC has added a new security feature to
screen passswords before they are set by checking them against a dictionary
that is supplied by DEC.  There is also a built-in hook to allow system
programmers to add additional checks through a module DEC calls a VMS Password
Policy.  However, the DEC dictionary is far from complete.

This new security feature is a new way of enhancing security without resorting
to the system generated passwords that is a requirement in many OS security
specifications.  The new feature, recommended by DECUS members to DEC, allows
security for passwords, without forcing passwords on users that they end up
writing down and posting on their terminals.

Recently, under the alt.security newsgroup on USENET a message was posted
having to do with common passwords.  The passwords listed were from
"A Novice's Guide to Hacking- 1989 Edition".  This was a very complete list of
bad passwords, having both names and other common words.  However, a
comparison between this list and the DEC supplied dictionary shows a few words
on this common password list that aren't in DEC's dictionary.  These
passwords are:


I expect that in a future release that DEC will add these words (and more) to
their dictionary, but until then people may want to use a Password Policy
module that utilizes a secondary dictionary to add these words to a check list.

I have submitted a password policy module that allows for a secondary
dictionary to the VAX SIG Tape and it has been posted to VMSNET.SOURCES on the
VMSNET network.