[Info-vax] Enhanced Password Management
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Mar 20 16:11:26 EDT 2019
On 2019-03-20 19:36:35 +0000, Jan-Erik S��derholm said:
> Just got this from VSI:
>
> "Thank you to those of you who downloaded and tested the Enhanced
> Password Management software."
...
> The minimum number of upper-case characters in a password
> The minimum number of lower-case characters in a password
> ...
For anyone interested, I've some open source that implements that
filtering, and for most any OpenVMS version in use.
More generally, it's interesting to see VSI headed away from what US
NIST and other recent recommendations suggest for password composition.
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring
mixtures of different character types or prohibiting consecutively
repeated characters) for memorized secrets. Verifiers SHOULD NOT
require memorized secrets to be changed arbitrarily (e.g.,
periodically). However, verifiers SHALL force a change if there is
evidence of compromise of the authenticator."
https://pages.nist.gov/800-63-3/sp800-63b.html
Also see
https://www.archive.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf
Intended more for end-users, a quick video...
https://www.nist.gov/video/password-guidance-nist-0
Spend some time loading one of the available attack dictionaries into
the OpenVMS password dictionary, and have at. This'd be fodder for VSI
to pre-populate the dictionary from HaveIBeenPwned or another service.
Or to tie into HaveIBeenPwned, for that matter.
https://haveibeenpwned.com/Passwords
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list