ARSUSEC password requirements

[karmiller]

Just curious if anyone out there has implemented something similar to the following for password requirements.  We have a new corporate policy which is requiring the following for password usage and unfortunately OnDemand does not meet the requirements.

Passwords must be of at least eight ( characters and a combination of {alphabetic}, {upper and lower case}, {numbers}, and {special characters} (combination of any three [3] of the above four [4] listed is acceptable).

[demaya]

In my company some harder requirements are coming. I bypassed this by switching to LDAP auth ;-) If our windows meets the requirements, OD does too. So no more problems... (at least for me).

The so called 'Security Enhancements' in 9.0 don't bring something like this up:
The following security enhancements were added:
1 You can now specify user IDs and passwords through encrypted files (stash files), instead of specifying them through the command line or a file.
2 OnDemand now tracks the following login activity:
   - The number of times a user attempts to login.
   - The last time a user logged in.
   - The last time a user changed his password and number of times he changed his password.
You can use this information to enforce security policies; for example, forcing the user to not reuse the five most recent passwords.
Link: http://pic.dhe.ibm.com/infocenter/cmod/v9r0m0/index.jsp?topic=%2Fcom.ibm.ondemand.doc%2Fod90new.htm

Cheers

[Alessandro Perucchi]

Haaa the stupid enforcement of password rules.... this is too long to explain it here, why I think that... and not the place... and you won't be able to change that, because it comes from other places where they "know" better... ( I would personally enforce minimum passphrase of at least 30 chars minimum... with eventually not twice the same password... that's all.)

Well, if CMOD doesn't give you the model for password that you want / need, as mayach said, switch to LDAP, then it will be the LDAP task to handle the change of password rules / authentication.

If you cannot use LDAP, and CMOD (even V9) doesn't have the rules you want / need, then the only solution is to write a SECURITY User Exit for that, and then you are free to do whatever rule you might want.

Check that page: http://publib.boulder.ibm.com/infocenter/cmod/v8r5m0/topic/com.ibm.ondemand.installingmp.doc/ars1i071689.htm#secuexit

Sincerely yours,
Alessandro

[demaya]

If you didn't know it already: http://xkcd.com/936/

I love this one

[Justin Derrick]

I've switched all my passwords to be unfathomably long, but easy for me to remember...  It actually doesn't take very long to get used to it.

The old password hashing algorithm in CMOD 8.4 and earlier was limited to 8 characters in length.  You could enter a longer password, but it only used the first 8 characters to calculate the password hash.  I haven't tested the latest version of CMOD, but with the switch to a new hashing method in CMOD 8.5, I expect that this limitation would have been eliminated.

-JD.

[Alessandro Perucchi]

In 8.5 the password length you could enter and that the user exit can get is 128 chars. I have a customer who needed something like 4096 to pass their token.
And now with CMOD 9, it allows a password of infinite length :-) so now you passphrase can be a bookphrase :-D 

[karmiller]

I understand that we nned to modify the ARSUSEC program.  Just looking for someone to do it for us.  Tried contacting a consulting firm and also tried to get IBM to provide a SOW on doing the work.  Guess no on wants a job.

[pankaj9]

Hi,

We have got same requirement in our organization where we want to setup alpha numeric passwords for CMOD users. But with CMOD 10.5 also we dont have these restrictions in place with CMOD system parameters.
Can you please let me know if you were able to get user exit which can be used to meet this requirement of alphanumeric password? If you have user exit available then can you please share that sample code with us so that we can use it to customize as per our requirement?

[Justin Derrick]

You should probably consider switching to LDAP authentication, so that your enterprise password requirements can be enforced on CMOD with minimal effort.

-JD.

[rjrussel]

As Justin said, you definitely should consider LDAP for authentication. Having a single place to handle password requirements is far more ideal than at the application layer.  You do not want to be updating every application when your password requirements change.

-RR

[Lars Bencze]

Hey @karmiller & @pankaj9 - if you still need help with customizing the ARSUSEC exit, send me a PM. I have done it several times before.
PS: Another good-to-have is a list of "unacceptable passwords", such as "12345678" and others. I've done that too with ARSUSEC.