Karl, Which government made that proclamation, and was it for all entities in that government? If it's all branchs of the the federal government of the United States of America, I would have imagined that this would have been widely discussed in the trade press somewhere (or at least expected a notification from ISV security vendors to their customers).
When we were asked to do require a fixed 8 character password I replied to our chief of security: --<snip>--- "With a password length of 8 characters, there are approximately 5,352,009,260,481 passwords (39**8, where 39=A-Z, plus 0-9, @,#,$). With a varying password lengths from 5-8 characters there are 5,492,849,235,120 passwords (an additional 141 trillion passwords: 140,839,974,639). Most importantly, by making passwords a fixed length it is harder for people to pick an easy password and remember it. They will either right it down somewhere they can find it (which usually means someplace easy to find), or they will pick one password and append numbers (such as MIKE0001 in January, MIKE0002 in February, ... MIKE0012 in December). In all cases, this is less secure than the varying length password policy." --<snip>--- (No doubt someone will correct my algorithm or math). But consider that even with a fixed length of 8 characters containing A-Z, 0-9, and @,#,$ the number of 5 1/2 trillion passwords is still a pretty significant barrier. IMHO a greater barrier to security than fixed-length passwords is the insistence by varying sites of their standards (must include a number, must not have more than 2 identical characters in a row, must not start with a digit, must have an uppercase letter, ... ad nauseum). Varying standards may make password more unique in dffering systems, but it also makes it difficult for users to create the same password on multiple systems. So users write down the "unique" password somewhere, violating the whole point of secure passwords in the first place!! Passwords are usually not changed more than once every 30 days or so. VM:Secure can easily deal with performance of your PASSEXIT user exit being written in rexx. Your requirements would be pretty easy to write in rexx. I used to have a long laundry list of standards (no common first names, no month or season names, no colors, and lots more). But we had to drop that tight security when RACF could not match it on MVS. <sigh> Mike Walter Hewitt Associates The opinions expressed herein are mine alone, not my employer's. On Tue, 11 Oct 2005 19:06:21 -0500, Karl Severson <[EMAIL PROTECTED]> wrote: >The government has proclaimed new password requirements which are: at least >eight characters in length, alphanumeric (at least one of which should be a >capital letter) and special characters. I have the latest VM:Manager >release (2.8, I think). I can't find this anywhere in the documentation CD >that came with this release but will the latest VM:Secure force users to >these above password requirements or do I have to write a "front end" >script to be legal? There's a file on VM:Secure's 191 disk called PASSEXIT >EXEC which does some of this (pw length and reuse control) on our current >release (2.5A) and I figure this is the EXEC which will need to be modified >to do the new stuff if it's even possible. >Thanks in advance for any info! >Karl Severson >Raytheon Company >=========================================================================
