 |
 |
Epic Systems Sponsor Message |
 |
|
|
|||
 |
|||
No
Swordfish, Please
By Steve Hammond
From Horse
Feathers (1932) — Groucho is attempting to enter a
speakeasy, Chico is manning the door:
Chico: Who are you?
Groucho: I’m
fine, thanks, who are you?
Chico: I’m fine
too, but you can’t come in unless you give the password.
Groucho: Well, what
is the password?
Chico: Aw, no! You
gotta tell me. Hey, I tell what I do. I give you three guesses.
It’s the name of a fish.
Groucho: Is it Mary?
Chico: Ha-ha.
That’s-a no fish.
Groucho: She
isn’t, well, she drinks like one. Let me see. Is it sturgeon?
Chico: Hey you crazy!
Sturgeon, he’s a doctor cuts you open when-a you sick. Now I
give you one more chance.
Groucho: I got it!
Haddock!
Chico: That’s-a
funny. I gotta haddock, too.
Groucho: What do you
take for a haddock?
Chico: Well-a,
sometimes I take-a aspirin, sometimes I take-a Calamel.
Groucho: Say,
I’d walk a mile for a Calamel.
Chico: You mean
chocolate calamel. I like that too, but you no guess it. Hey,
what’s-a matter, you no understand English? You can’t come
in here unless you say “swordfish.” Now I’ll give you
one more guess.
Groucho: [To himself]
Swordfish. Swordfish.
[To Chico.]
Groucho: I think I
got it. Is it “swordfish”?
Chico: Hah!
That’s-a it! You guess it!
Groucho: Pretty good, eh?
Do you sometimes feel like your users’ passwords are about as secure those the one ‘protected’ here by Chico? Well, Security/3000 can help.
Some of our “favorite” users think they can get around all the barriers we put up to keep our systems secure. How many times have you seen a password of “secret” or “a” or “12345”? Sounding like a broken record — Security/3000 can help.
We’re just going to address MPE passwords, but most of these rules will apply to Security/3000 passwords and we’ll see how they can be applied to those.
Probably the best way to keep the passwords “unguessable” is to set some sort of password rules. Now merely telling a user that their password must include at least one digit doesn’t make it so. You’ve got to have some means of enforcing those rules. With additions to our old friend SECURCON.DATA.VESOFT, you can create those rules for your passwords, at the account or user type level. The keyword $MPE-PASS-EDIT “?????@” @.FINANCE enforces passwords of at least six characters in length for anyone logging into the FINANCE account. (If you don’t list a userset, the default is @.@ or every user.)
If you want a password to be at least five characters and end in a digit, then $MPE-PASS-EDIT “????@#” does the trick. How about this one?
$MPE-PASS-EDIT
“?#?#?@” CAP=SM CAP=PM
Any user with
SM or PM capability must have a password six characters long with the
second and fourth characters digits. Makes things a little tighter
for those people with the power.
The other powerful
keyword is $MPE-PASS-FORBID. The format of that is similar:
$MPE-PASS-FORBID
“expression” “error message” userset
So you can
prevent all alpha passwords with:
$MPE-PASS-FORBID
“ALPHA(P)” “Password cannot be all alpha”
You can
prevent all numerics with:
$MPE-PASS-FORBID
“NUMERIC(P)” “Password cannot be all numeric”
I especially
like this one:
$MPE-PASS-FORBID “MAXCONSECUTIVE(P)>=3”
“...”
[I’m not going
to continue creating error messages - you know what they are and what
to do with them.] This is handy for those people who use a password
of “JJJJJJ” or “222.”
Since Security is aware of
just about every MPE user, account and group variable, you can use
that to your advantage:
$MPE-PASS-FORBID
“P=USER or P=HPACCOUNT or
P=HPGROUP” “...”
This forbids
someone from using a password that matches the user, account or group
name; i.e. the user “TEST” with a password of
“TEST” would not cut it here. Along those same lines,
$MPE-PASS-FORBID “P=VEACCTINFO(HPACCOUNT).PASSWORD” “...”
prevents someone from using the account password as their user password also.
But, of course, my
favorite option here is:
$MPE-PASS-FORBID
“BADPASSWORD(P)” “...”
That’s
because it lets you work with a file called BADPASS.AUDITDAT.VESOFT.
BADPASS is a file of words you do not want to use as passwords. In my
first job, I cannot tell you how people used the company name as
their password. If you look at that file, you will see some of the
most popular ones — SECRET, PASSWORD and PASS. Plus a couple of
others that are regularly used by vendors. You can manipulate this to
your heart’s content and you can put down the clamps on common
passwords.
The last MPE password option we need to discuss is $MPE-U-NEED-PASS (userset). This lets you declare who MUST have a password. The most obvious is $MPE-U-NEED-PASS CAP=SM CAP=PM because as we said before, these are the users who can do the most damage, so you really want them to be passworded.
The last thing to
mention is that all of these keywords except the last one will also
work on Security/3000 passwords except for the MPE-U-NEED-PASS.
Instead of MPE-PASS-FORBID, you use VEPASS-FORBID and MPE-PASS-EDIT
is just PASS-EDIT.
So, straighten up, go back
to the front door and don’t let anyone in unless they know that
password.
Steve Hammond, who
works for a trade association in Washington, DC, has never used
‘swordfish’ for a password.
Copyright The 3000 NewsWire. All rights reserved.