Part of our SOX audit requires that we test for accounts with blank passwords.
In UNIX, I am doing something like "awk -F: '!$2' /etc/passwd" - how can I do
the same in VMS?
I have gawk for VMS, if that helps, and gawk's FIELDWIDTHS feature might be
useful in processing SYSUAF.
(9761) OpenVMS and Blank/Null Passwords?
Re: (9761) OpenVMS and Blank/Null Passwords?
Unless there are privileged users overriding security policy, there
cannot be passwords shorter than the required password length; shorter
than the established password minimum length value.
There is no means available to reverse the password hashing algorithm,
the test would involve using the blank password, the username, and the
salt, producing a new hashed password value, and comparing it to the
binary value of the current hashed password. No cleartext password
is available within the authorization database.
If you have privileged users overriding security-relevent attributes
such as the established system password length policy, you have far
larger security issues than searching for potentially blank passwords.
You will want to review and to remove the privileges of such users,
of course.
You can force a password change using the expired-password setting.
When next the user logs in, a password change will be required.
For details on OpenVMS system security and recommendations, please
see the OpenVMS System Security Manual.
For what should be obvious reasons, the OpenVMS Wizard is not in a
position to recommend password-cracking tools, but such tools are
undoubtedly available.
Related topics include (1461), (1645), (4303), (4612), (4778), (6328),
(7818), (8985), (9728), and various others.
cannot be passwords shorter than the required password length; shorter
than the established password minimum length value.
There is no means available to reverse the password hashing algorithm,
the test would involve using the blank password, the username, and the
salt, producing a new hashed password value, and comparing it to the
binary value of the current hashed password. No cleartext password
is available within the authorization database.
If you have privileged users overriding security-relevent attributes
such as the established system password length policy, you have far
larger security issues than searching for potentially blank passwords.
You will want to review and to remove the privileges of such users,
of course.
You can force a password change using the expired-password setting.
When next the user logs in, a password change will be required.
For details on OpenVMS system security and recommendations, please
see the OpenVMS System Security Manual.
For what should be obvious reasons, the OpenVMS Wizard is not in a
position to recommend password-cracking tools, but such tools are
undoubtedly available.
Related topics include (1461), (1645), (4303), (4612), (4778), (6328),
(7818), (8985), (9728), and various others.