By Steve Hammond
Feathers (1932) Groucho is attempting to enter a
speakeasy, Chico is manning the door:
Chico: Who are you?
fine, thanks, who are you?
Chico: Im fine
too, but you cant come in unless you give the password.
Groucho: Well, what
is the password?
Chico: Aw, no! You
gotta tell me. Hey, I tell what I do. I give you three guesses.
Its the name of a fish.
Groucho: Is it Mary?
Thats-a no fish.
isnt, well, she drinks like one. Let me see. Is it sturgeon?
Chico: Hey you crazy!
Sturgeon, hes a doctor cuts you open when-a you sick. Now I
give you one more chance.
Groucho: I got it!
funny. I gotta haddock, too.
Groucho: What do you
take for a haddock?
sometimes I take-a aspirin, sometimes I take-a Calamel.
Id walk a mile for a Calamel.
Chico: You mean
chocolate calamel. I like that too, but you no guess it. Hey,
whats-a matter, you no understand English? You cant come
in here unless you say swordfish. Now Ill give you
one more guess.
Groucho: [To himself]
Groucho: I think I
got it. Is it swordfish?
Thats-a it! You guess it!
Groucho: Pretty good, eh?
Do you sometimes feel
like your users passwords are about as secure those the one
protected here by Chico? Well, Security/3000 can help.
Some of our
favorite users think they can get around all the barriers
we put up to keep our systems secure. How many times have you seen a
password of secret or a or 12345?
Sounding like a broken record Security/3000 can help.
Were just going
to address MPE passwords, but most of these rules will apply to
Security/3000 passwords and well see how they can be applied to
Probably the best way
to keep the passwords unguessable is to set some sort of
password rules. Now merely telling a user that their password must
include at least one digit doesnt make it so. Youve got
to have some means of enforcing those rules. With additions to our
old friend SECURCON.DATA.VESOFT, you can create those rules for your
passwords, at the account or user type level. The keyword
$MPE-PASS-EDIT ?????@ @.FINANCE enforces passwords of at
least six characters in length for anyone logging into the FINANCE
account. (If you dont list a userset, the default is @.@ or
If you want a
password to be at least five characters and end in a digit, then
$MPE-PASS-EDIT ????@# does the trick. How about this
?#?#?@ CAP=SM CAP=PM
Any user with
SM or PM capability must have a password six characters long with the
second and fourth characters digits. Makes things a little tighter
for those people with the power.
The other powerful
keyword is $MPE-PASS-FORBID. The format of that is similar:
expression error message userset
So you can
prevent all alpha passwords with:
ALPHA(P) Password cannot be all alpha
prevent all numerics with:
NUMERIC(P) Password cannot be all numeric
like this one:
[Im not going
to continue creating error messages - you know what they are and what
to do with them.] This is handy for those people who use a password
of JJJJJJ or 222.
Since Security is aware of
just about every MPE user, account and group variable, you can use
that to your advantage:
P=USER or P=HPACCOUNT or
someone from using a password that matches the user, account or group
name; i.e. the user TEST with a password of
TEST would not cut it here. Along those same lines,
prevents someone from
using the account password as their user password also.
But, of course, my
favorite option here is:
because it lets you work with a file called BADPASS.AUDITDAT.VESOFT.
BADPASS is a file of words you do not want to use as passwords. In my
first job, I cannot tell you how people used the company name as
their password. If you look at that file, you will see some of the
most popular ones SECRET, PASSWORD and PASS. Plus a couple of
others that are regularly used by vendors. You can manipulate this to
your hearts content and you can put down the clamps on common
The last MPE password
option we need to discuss is $MPE-U-NEED-PASS (userset). This lets
you declare who MUST have a password. The most obvious is
$MPE-U-NEED-PASS CAP=SM CAP=PM because as we said before, these are
the users who can do the most damage, so you really want them to be
The last thing to
mention is that all of these keywords except the last one will also
work on Security/3000 passwords except for the MPE-U-NEED-PASS.
Instead of MPE-PASS-FORBID, you use VEPASS-FORBID and MPE-PASS-EDIT
is just PASS-EDIT.
So, straighten up, go back
to the front door and dont let anyone in unless they know that
Steve Hammond, who
works for a trade association in Washington, DC, has never used
swordfish for a password.
Copyright The 3000 NewsWire. All