From:	CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 24-JAN-1991 17:46:43.29
To:	MRGATE::"ARISIA::EVERHART"
CC:	
Subj:	Additional Bad Passwords not in VMS 5.4

Received:  by crdgw1.ge.com (5.57/GE 1.80)
	 id AA17412; Thu, 24 Jan 91 17:34:15 EST
Received: From UCBVAX.BERKELEY.EDU by CRVAX.SRI.COM with TCP; Thu, 24 JAN 91 09:38:26 PST
Received: by ucbvax.Berkeley.EDU (5.63/1.42)
	id AA14968; Thu, 24 Jan 91 09:22:19 -0800
Received: from USENET by ucbvax.Berkeley.EDU with netnews
	for info-vax@kl.sri.com (info-vax@kl.sri.com)
	(contact usenet@ucbvax.Berkeley.EDU if you have questions)
Date: 24 Jan 91 01:51:59 GMT
From: mvb.saic.com!dayton.saic.com!nieland!ted@ucsd.edu  (Ted Nieland)
Subject: Additional Bad Passwords not in VMS 5.4
Message-Id: <5149.AA5149@nieland.DAYTON.OH.US>
Sender: info-vax-request@kl.sri.com
To: info-vax@kl.sri.com

The following article can be freely republished in any DECUS Publication, 
including all LUG Newsletters.

		Additional Bad Passwords
			by
		    Ted Nieland

In the VMS 5.4 operating system, DEC has added a new security feature to
screen passswords before they are set by checking them against a dictionary
that is supplied by DEC.  There is also a built-in hook to allow system
programmers to add additional checks through a module DEC calls a VMS Password
Policy.  However, the DEC dictionary is far from complete.

This new security feature is a new way of enhancing security without resorting
to the system generated passwords that is a requirement in many OS security
specifications.  The new feature, recommended by DECUS members to DEC, allows
security for passwords, without forcing passwords on users that they end up
writing down and posting on their terminals.

Recently, under the alt.security newsgroup on USENET a message was posted
having to do with common passwords.  The passwords listed were from
"A Novice's Guide to Hacking- 1989 Edition".  This was a very complete list of
bad passwords, having both names and other common words.  However, a
comparison between this list and the DEC supplied dictionary shows a few words
on this common password list that aren't in DEC's dictionary.  These
passwords are:

	guessit
	asshole
	badass
	compareall
	condom
	debbie
	deborah
	eatme
	mogul
	reagan

I expect that in a future release that DEC will add these words (and more) to
their dictionary, but until then people may want to use a Password Policy
module that utilizes a secondary dictionary to add these words to a check list.

I have submitted a password policy module that allows for a secondary
dictionary to the VAX SIG Tape and it has been posted to VMSNET.SOURCES on the
VMSNET network.