| Front Page | News Headlines | Technical Headlines | Planning Features | Advanced Search |
Epic Systems Sponsor Message


No Swordfish, Please

By Steve Hammond

From Horse Feathers (1932) — Groucho is attempting to enter a speakeasy, Chico is manning the door:

Chico: Who are you?
Groucho: I’m fine, thanks, who are you?
Chico: I’m fine too, but you can’t come in unless you give the password.
Groucho: Well, what is the password?
Chico: Aw, no! You gotta tell me. Hey, I tell what I do. I give you three guesses. It’s the name of a fish.
Groucho: Is it Mary?
Chico: Ha-ha. That’s-a no fish.
Groucho: She isn’t, well, she drinks like one. Let me see. Is it sturgeon?
Chico: Hey you crazy! Sturgeon, he’s a doctor cuts you open when-a you sick. Now I give you one more chance.
Groucho: I got it! Haddock!
Chico: That’s-a funny. I gotta haddock, too.
Groucho: What do you take for a haddock?
Chico: Well-a, sometimes I take-a aspirin, sometimes I take-a Calamel.
Groucho: Say, I’d walk a mile for a Calamel.
Chico: You mean chocolate calamel. I like that too, but you no guess it. Hey, what’s-a matter, you no understand English? You can’t come in here unless you say “swordfish.” Now I’ll give you one more guess.
Groucho: [To himself] Swordfish. Swordfish.
[To Chico.]
Groucho: I think I got it. Is it “swordfish”?
Chico: Hah! That’s-a it! You guess it!
Groucho: Pretty good, eh?

Do you sometimes feel like your users’ passwords are about as secure those the one ‘protected’ here by Chico? Well, Security/3000 can help.

Some of our “favorite” users think they can get around all the barriers we put up to keep our systems secure. How many times have you seen a password of “secret” or “a” or “12345”? Sounding like a broken record — Security/3000 can help.

We’re just going to address MPE passwords, but most of these rules will apply to Security/3000 passwords and we’ll see how they can be applied to those.

Probably the best way to keep the passwords “unguessable” is to set some sort of password rules. Now merely telling a user that their password must include at least one digit doesn’t make it so. You’ve got to have some means of enforcing those rules. With additions to our old friend SECURCON.DATA.VESOFT, you can create those rules for your passwords, at the account or user type level. The keyword $MPE-PASS-EDIT “?????@” @.FINANCE enforces passwords of at least six characters in length for anyone logging into the FINANCE account. (If you don’t list a userset, the default is @.@ or every user.)

If you want a password to be at least five characters and end in a digit, then $MPE-PASS-EDIT “????@#” does the trick. How about this one?


Any user with SM or PM capability must have a password six characters long with the second and fourth characters digits. Makes things a little tighter for those people with the power.

The other powerful keyword is $MPE-PASS-FORBID. The format of that is similar:

$MPE-PASS-FORBID “expression” “error message” userset

So you can prevent all alpha passwords with:

$MPE-PASS-FORBID “ALPHA(P)” “Password cannot be all alpha”

You can prevent all numerics with:

$MPE-PASS-FORBID “NUMERIC(P)” “Password cannot be all numeric”

I especially like this one:


[I’m not going to continue creating error messages - you know what they are and what to do with them.] This is handy for those people who use a password of “JJJJJJ” or “222.”

Since Security is aware of just about every MPE user, account and group variable, you can use that to your advantage:


P=HPGROUP” “...”

This forbids someone from using a password that matches the user, account or group name; i.e. the user “TEST” with a password of “TEST” would not cut it here. Along those same lines,


prevents someone from using the account password as their user password also.

But, of course, my favorite option here is:


That’s because it lets you work with a file called BADPASS.AUDITDAT.VESOFT. BADPASS is a file of words you do not want to use as passwords. In my first job, I cannot tell you how people used the company name as their password. If you look at that file, you will see some of the most popular ones — SECRET, PASSWORD and PASS. Plus a couple of others that are regularly used by vendors. You can manipulate this to your heart’s content and you can put down the clamps on common passwords.

The last MPE password option we need to discuss is $MPE-U-NEED-PASS (userset). This lets you declare who MUST have a password. The most obvious is $MPE-U-NEED-PASS CAP=SM CAP=PM because as we said before, these are the users who can do the most damage, so you really want them to be passworded.

The last thing to mention is that all of these keywords except the last one will also work on Security/3000 passwords except for the MPE-U-NEED-PASS. Instead of MPE-PASS-FORBID, you use VEPASS-FORBID and MPE-PASS-EDIT is just PASS-EDIT.

So, straighten up, go back to the front door and don’t let anyone in unless they know that password.

Steve Hammond, who works for a trade association in Washington, DC, has never used ‘swordfish’ for a password.

Copyright The 3000 NewsWire. All rights reserved.