[Info-vax] Enhanced Password Management

gezelter at rlgsc.com gezelter at rlgsc.com
Wed Mar 20 16:39:19 EDT 2019 

On Wednesday, March 20, 2019 at 4:11:29 PM UTC-4, Stephen Hoffman wrote:
> On 2019-03-20 19:36:35 +0000, Jan-Erik S  derholm said:
> 
> > Just got this from VSI:
> > 
> > "Thank you to those of you who downloaded and tested the Enhanced 
> > Password Management software."
> ...
> > The minimum number of upper-case characters in a password
> > The minimum number of lower-case characters in a password
> > ...
> 
> 
> For anyone interested, I've some open source that implements that 
> filtering, and for most any OpenVMS version in use.
> 
> More generally, it's interesting to see VSI headed away from what US 
> NIST and other recent recommendations suggest for password composition.
> 
> "Verifiers SHOULD NOT impose other composition rules (e.g., requiring 
> mixtures of different character types or prohibiting consecutively 
> repeated characters) for memorized secrets. Verifiers SHOULD NOT 
> require memorized secrets to be changed arbitrarily (e.g., 
> periodically). However, verifiers SHALL force a change if there is 
> evidence of compromise of the authenticator."
> 
> https://pages.nist.gov/800-63-3/sp800-63b.html
> 
> Also see 
> https://www.archive.ece.cmu.edu/~lbauer/papers/2011/chi2011-passwords.pdf 
> 
> 
> Intended more for end-users, a quick video...
> 
> https://www.nist.gov/video/password-guidance-nist-0
> 
> Spend some time loading one of the available attack dictionaries into 
> the OpenVMS password dictionary, and have at.  This'd be fodder for VSI 
> to pre-populate the dictionary from HaveIBeenPwned or another service.  
> Or to tie into HaveIBeenPwned, for that matter.
> 
> https://haveibeenpwned.com/Passwords
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

Hoff,

I agree with the new NIST guidance. Unfortunately, a significant number of auditors and corporate security staff do not seem to have "read the memo".

For those faced with unpersuadable enforcement, the ability to comply is helpful. As the Borg collective said "Resistance is futile."

- Bob Gezelter, http://www.rlgsc.com

More information about the Info-vax mailing list