Password User Program

BLINDPASSWORD

The BLINDPASSWORD parameter controls whether the passwords are echoed to the terminal during the change process.

RISK When passwords are entered on the same line as the user name , they are displayed on the screen, in the clear.

If the BLINDPASSWORD value is set to zero (false), the user will see the password displayed as it is entered.

If the BLINDPASSWORD value is set to one (true), the user will not see the password displayed as it is entered .

RISK The default is zero (false); the user's password will be displayed on the user's terminal for any passer-by to see.

BLINDPASSWORD should be bound into the PASSWORD program even if Safeguard software is installed and configured with BLINDLOGON ON. The Safeguard setting configures the authentication process, which is used for all authentication attempts. Therefore, always bind BLINDPASSWORD into the PASSWORD program.

With or without Safeguard software:

BP-PASSWORD-CONFIG-01 BLINDPASSWORD should be ON.

With Safeguard software:

BP-SAFEGARD-GLOBAL-53 Safeguard BLINDLOGON global should be ON.

ENCRYPTPASSWORD

The ENCRYPTPASSWORD parameter determines whether or not passwords will be encrypted when they are stored in the userid file. If the passwords are stored in encrypted form, they are unreadable even if someone gains access to the USERID , or LUSERID files.

Without Safeguard software:

RISK If passwords are not encrypted, anyone with READ access to the USERID file can extract the passwords.

If the value is set to 1 (true), passwords will be encrypted.

If the value is set to 0 (false), passwords will not be encrypted.

The default is zero (false), no encryption.

Just setting this parameter to 1 does not cause existing passwords to be encrypted; they will be encrypted the next time they are changed. Therefore, all users should change their passwords after setting this parameter.

BP-PASSWORD-CONFIG-02 ENCRYPTPASSWORD should be ON.

With Safeguard software:

RISK Whether or not Safeguard software can validate that a new password meets its MINIMUM-LENGTH requirement depends on whether or not Safeguard software performs the encryption:

If the password is encrypted by the PASSWORD program, Safeguard software receives the encrypted version of the password and cannot check for PASSWORD- MINIMUM-LENGTH.

If the Safeguard software performs the encryption through the PASSWORD- ENCRYPT attribute, it checks PASSWORD-MINIMUM-LENGTH before it encrypts the password.

BP-PASSWORD-CONFIG-02 ENCRYPTPASSWORD should be OFF.

BP-SAFEGARD-GLOBAL-06 Safeguard PASSWORD-ENCRYPT global should be ON.

MINPASSWORDLEN

The MINPASSWORDLEN parameter establishes the minimum number of characters that can make up a password. The maximum length of a password on the HP NonStop Server is eight characters. The more characters a password contains, the harder it is to 'crack'.

RISK The default is zero, no password required. If no password is required, any userid can be changed to have no password, thus allowing anyone to use the userid.

If the MINPASSWORDLEN value is 0 (zero), no password is required.

If the MINPASSWORDLEN value is set to a number between 1 and 8, a password is required.

If Safeguard is installed, its MINIMUM-LENGTH parameter will take precedence.

With or without Safeguard software:

BP-PASSWORD-CONFIG-03 MINPASSWORDLEN should be at least 6.

With Safeguard software:

BP-SAFEGARD-GLOBAL-07 Safeguard
PASSWORD-MINIMUM-LENGTH global = 6.

PROMPTPASSWORD

The PROMPTPASSWORD parameter determines whether or not the PASSWORD program accepts a command line password change, which displays the new password value on the screen, or goes through a prompting sequence of requiring the old password to be entered with the display suppressed, the new password to be entered, again with display suppressed, and then the new password to be entered again, display suppressed, to ensure that the new password does not contain typing errors.

The default is zero (false), no prompt.

RISK If the parameter is set to zero, the password change can take place on the command line, which displays the password value and does not require knowledge of the old password, so unauthorized parties are not prohibited from changing the password.

If the PROMPTPASSWORD value is zero (false), the user will be able to set the password without knowledge of the old password and will be able to see the contents of the new password.

If the PROMPTPASSWORD value is set to one (true), the user will be required to know the old password.

With or without Safeguard software:

BP-PASSWORD-CONFIG-04 PROMPTPASSWORD should be ON.

Third Party Password Products

The PASSWORD program's internal Guardian security permits each user to reset their own password, group managers to reset the passwords of members of their group, and SUPER.SUPER to reset any user's password.

3P-PASSWORD-RESET-01 Use a third product that allows for additional controls over resetting passwords.

3P-PASSWORD-EXPIRE-01 Use a third party product that can automatically expire passwords whenever someone other than the user tries to create or reset them.

Third party password products can help to control the password strings set by users so that they conform to certain standards. For instance, the password must contain at least 1 number.

3P-PASSWORD-CONTROL-01 Use a third party product that can control the length, character string and other limitations on the password.