Whaddya Know, Joe?
Article Date: 3/94
In the last issue of the newsletter, we took a look at basic password security on the Stratus, particularly under VOS. VOS provides all the capabilities for Identification and Authentication (I&A) of users. Each user must have a unique, known ID registered on the system and must respond to a password challenge to authenticate the ID.
One of the challenges in security administration is training the users on the implementation of a strong password policy and enforcing it. Last time, we looked at some of the tools available to assist the security administrator with strong passwords. In this article, let's take a look at a special type of password problem - the "Joe account".
In security circles, the term "Joe account" refers to a user who uses their name or part of their name as the password for their account. If my name is Joe_User, then a hacker or someone trying to gain unauthorized access to my account might immediately try some form of Joe or User as my password.
The set_password_security command introduced in VOS Release 11 provides a number of options to help you control Joe accounts.
The -forbid_user_name option is the most obvious. For Joe_User, this prevents "joe", "user", and "joeuser" as passwords. Along with this one, you may also want to set on -forbid_reverse which prevents the user from selecting a password which is the reverse of their user name, such as "eoj". Finally, -forbid_anagram prevents a password which is an anagram of the user name, such as "oej".
A technique mentioned in the last newsletter is also useful in avoiding Joe problems. Use the option -req_alpha_numeric. This forces the user to include numbers as well as letters in their password. This helps to avoid the Joe syndrome, as well as generally making a stronger password, since more characters must be tried for a brute force attempt at password cracking. It will also prevent a dictionary-based attack. You might also want to set on -forbid_begin_end_numeric. This will prevent the user from choosing "joe2" as a password.
Don't forget that it is possible with login_admin and set_password_security to control password aging, so that users must periodically set new passwords. Even though you have eliminated "Joe accounts", don't let users leave passwords forever as targets for repeated attempts at breaking.
These commands help you to make the Stratus as technically secure as possible. However, no technical solution matches a user who understands the need for security to protect the assets of the business. Use your training skills to get your users on-board with a carefully planned and implemented security policy.
| 
