Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
password dict
- Thread starter unixfreak
- Start date
unixfreak,
There is no fileset containing the password dictionary, it's use is controlled by a parameter in /etc/security/user i.e.:
dictionlist = /etc/security/dictionary
Create a file called dictionary, or whatever you want to call it, owned by root with 600 permissions and add in any words you do not want to be used as passwords i.e.
cat /etc/security/dictionary
password
passwd
passw0rd
You then configure the users to comply with the dictionary, do this for all users via:
chsec -f /etc/security/user -s default -a dictionlist=/etc/security/dictionary
You can have more than one dictionary file, seperate each file with a comma.
Best of luck
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
There is no fileset containing the password dictionary, it's use is controlled by a parameter in /etc/security/user i.e.:
dictionlist = /etc/security/dictionary
Create a file called dictionary, or whatever you want to call it, owned by root with 600 permissions and add in any words you do not want to be used as passwords i.e.
cat /etc/security/dictionary
password
passwd
passw0rd
You then configure the users to comply with the dictionary, do this for all users via:
chsec -f /etc/security/user -s default -a dictionlist=/etc/security/dictionary
You can have more than one dictionary file, seperate each file with a comma.
Best of luck
PSD
IBM Certified Specialist - AIX V4.3 Systems Support
IBM Certified Specialist - AIX V4 HACMP
- Thread starter
- #3
RodKnowlton
MIS
- Apr 26, 2000
- 1,005
- 0
- 0
MikeMeyers,
You could parse the output of "lsuser -a gecos ALL" into a dictionary file.
I believe, though, that the dictionlist only prevents exact matches to the dictionary, not partial. So if you have defined special and/or numerical character password requirements (and you should have) you would also need to add all permutations possible based on the user info fields for this to be effective. This can obviously yield an enormous number of entries, and still doesn't take into account the user's other obvious choices for bad passwords (parents, kids, friends, s.o., things they see on their desk, etc...).
Rather than try to anticipate all possible bad passwords ahead of time, I run a password cracker and automatically notify users if they've selected an insecure one, nag them to change it for a period of logins, then force the change if they haven't done it. The nag screen tells the user how (and how not) to select a secure password and, in an attempt to keep the nag from becoming just one more thing the hit ENTER for, randomly selects a letter that must be input to proceed.
Proof that password security is an uphill battle: I've had more than one user call to complain that the letter they have to hit to get passed changes.
I can't describe how it warms my heart when they describe the screen thusly: "it says 'the password you've selected has been determined to be insecure, BLAH, BLAH, BLAH.'"
Oh, to be a BOFH.
Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
You could parse the output of "lsuser -a gecos ALL" into a dictionary file.
I believe, though, that the dictionlist only prevents exact matches to the dictionary, not partial. So if you have defined special and/or numerical character password requirements (and you should have) you would also need to add all permutations possible based on the user info fields for this to be effective. This can obviously yield an enormous number of entries, and still doesn't take into account the user's other obvious choices for bad passwords (parents, kids, friends, s.o., things they see on their desk, etc...).
Rather than try to anticipate all possible bad passwords ahead of time, I run a password cracker and automatically notify users if they've selected an insecure one, nag them to change it for a period of logins, then force the change if they haven't done it. The nag screen tells the user how (and how not) to select a secure password and, in an attempt to keep the nag from becoming just one more thing the hit ENTER for, randomly selects a letter that must be input to proceed.
Proof that password security is an uphill battle: I've had more than one user call to complain that the letter they have to hit to get passed changes.
I can't describe how it warms my heart when they describe the screen thusly: "it says 'the password you've selected has been determined to be insecure, BLAH, BLAH, BLAH.'"
Oh, to be a BOFH.
Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
- Status
Similar threads
