[Info-vax] VMS humor

Thu Dec 31 06:58:54 EST 2020

Den 2020-12-31 kl. 07:29, skrev John Reagan:
> On Wednesday, December 30, 2020 at 10:23:33 PM UTC-5, Craig A. Berry wrote:
>> On 12/30/20 7:53 PM, John Reagan wrote:
>>> On Wednesday, December 30, 2020 at 11:21:28 AM UTC-5, Craig A. Berry wrote:
>>>> On 12/30/20 7:25 AM, VAX... at SendSpamHere.ORG wrote:
>>>>> In article <74ad5ee7-5ee4-4aac... at googlegroups.com>, John Reagan <xyzz... at gmail.com> writes:
>>>>>> On Tuesday, December 29, 2020 at 5:49:23 PM UTC-5, Michael Moroney wrote:
>>>>>>> Does anyone else wonder if the drug manufacturers use the VMS password
>>>>>>> generator to name new drugs? :-)
>>>>>> On x86, it will be harder to pronounce:
>>>>>>
>>>>>> $ set password/generate=16/algo=mixed
>>>>>> Old password:
>>>>>>
>>>>>> knE~yAZ7dv=K]+Ui
>>>>>> 3t;yh58-6T1[Oa7;
>>>>>> 40Ie652I[6xlW3Yl
>>>>>> ud58{>!1&R17h7uo
>>>>>> dRcp7Se{'8^1<mK0
>>>>>>
>>>>>> Choose a password from this list, or press RETURN to get a new list
>>>>>
>>>>> And harder to remember! That'll insure that the user records their
>>>>> password somewhere besides in their memory.
>>
>>>> And goes against current NIST guidelines for long, easy-to-remember
>>>> passwords that do not routinely expire. Of course most auditors go by
>>>> what NIST said a decade or two ago, so a lot of folks won't have any
>>>> choice about following older practices.
>>
>>> Easy-to-remember and high entropy don't mix.
>> Yes, they most certainly do. "King Philip fried a pheasant on Friday!"
>> is much easier to remember than "ud58{>!1&R17h7uo" and has 189 bits of
>> entropy compared to 72 bits. You seem to have missed some of the most
>> salient bits of the section you quoted, notably:
>> "Verifiers SHOULD NOT impose other composition rules (e.g., requiring
>> mixtures of different character types or prohibiting consecutively
>> repeated characters) for memorized secrets. Verifiers SHOULD NOT require
>> memorized secrets to be changed arbitrarily (e.g., periodically)."
>> and:
>> "Length and complexity requirements beyond those recommended here
>> significantly increase the difficulty of memorized secrets and increase
>> user frustration. As a result, users often work around these
>> restrictions in a way that is counterproductive."
>> So, as I said, the "harder to pronounce" generated passwords that we'll
>> apparently get with x86 VMS are pretty much what everyone else has been
>> doing but directly contradict current NIST recommendations.
>>>
> The phrase "King Philip fried a pheasant on Friday!" is 7 words out of a dictionary full of words.
> The distribution is quite predictable as each English word (yes, there are a few exceptions known
> to Scrabble players) contains at least one vowel.   How did you determine 189?
> 
> I'm not in the XKCD camp and fall in with Steve Gibson.
> 
> https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
> 
> 
> You can pick the old style as well.
> 
> $ set pass /generate=16 /algorithm=alphabetic
> Old password:
> 
> heabneyssiontenvok
> gatotormedickings
> housesupsystraste
> alietesciabatter
> satubmunhastonal
> 
> Choose a password from this list, or press RETURN to get a new list
> New password:
> 
> And "correcthorsebatterystaple" now has an entropy of 1 bit.
> 

About login in general...

My customer has implemented MFA on all logins to the corporate
environment that, apart from the usual password, requires you to
select one the four MFA methods below.

Notification on authenticator app
Verification code on authenticator app
SMS to phone
Call to phone

(I currently use the SMS method.)

Has there been any investigations of integration of MFA in/from VMS?