|
midrange.com
Stuart,
Allen, Stuart wrote:
> I know its not the best solution, but i don't want to use
> these sys values
> to restrict people.
> There is currently a fairly free reign over passwords, so
> long as they're
> over 6 letters; and i think i'd get shot by angry users if
> i tried to force
> everyone to use non-repeating, non-adjacent,non-vowel,
> alphanumeric
> passwords with digits in!
> Those that wouldn't attack me would be completely
> mystified by the concept,
> ergo more work for me.
> I just want to disallow the mega-obvious passwords.
You can use the System Value QPWDVLDPGM to create a program
that enforces your your own password validation rules,
including maintaining a list of dis-allowed passwords.
Below is a sample program from the V4R4 Security Reference
manual (so that you can see the Input/Output parms). You
could easily add a file that contains invalid passwords and
check the incoming password for a hit in the file.
A couple of things about these programs.....
* Every user must be able to execute the program (*PUBLIC
*USE might be appropriate).
* Every user must be able to read any object referred to
by your program, so you may want to use either an
adopted authority scheme or set the *PUBLIC to *USE. on
these objects.
* Every user must be able to find any object referred to
by your program, so you may want to evaluate it's
placement in the system portion of the library list.
* All versions of the CHGPWD command, including Client
Access and other network access, will call this program
when they change their password.
* The CHGUSRPRF command does not call this program, so
people who can change other's passwords are not limited
by this program.
* Secure this program against change or replacement.
Passwords travel into this program in clear text, so
you want to be sure no one can replace it or put it in
debug.
jte
/**************************************************/
/* NAME: PWDVALID - Password Validation */
/* */
/* FUNCTION: Limit password change to one per */
/* day unless the password is expired */
/**************************************************/
PGM (&NEW &OLD &RTNCD &USER)
DCL VAR(&NEW) TYPE(*CHAR) LEN(10)
DCL VAR(&OLD) TYPE(*CHAR) LEN(10)
DCL VAR(&RTNCD) TYPE(*CHAR) LEN(1)
DCL VAR(&USER) TYPE(*CHAR) LEN(10)
DCL VAR(&JOBDATE) TYPE(*CHAR) LEN(6)
DCL VAR(&PWDCHGDAT) TYPE(*CHAR) LEN(6)
DCL VAR(&PWDEXP) TYPE(*CHAR) LEN(4)
/* Get the current date and convert to YMD format */
RTVJOBA DATE(&JOBDATE)
CVTDAT DATE(&JOBDATE) TOVAR(&JOBDATE) +
TOFMT(*YMD) TOSEP(*NONE)
/* Get date password last changed and whether */
/* password is expired from user profile */
RTVUSRPRF USRPRF(&USER) PWDCHGDAT(&PWDCHGDAT)+
PWDEXP(&PWDEXP)
/* Compare two dates */
/* if equal and password not expired */
/* then send *ESCAPE message to prevent change */
/* else set return code to allow change */
IF (&JOBDATE=&PWDCHGDAT *AND &PWDEXP='*NO ') +
SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) +
MSGDTA('Password can be changed only +
once per day) +
MSGTYPE(*ESCAPE)
ELSE CHGVAR &RTNCD '0'
ENDPGM
>
>
> Stuart
>
> -----Original Message-----
> From: Graap, Ken [mailto:keg@exchange.gasco.com]
> Sent: 14 June 1999 17:49
> To: 'MIDRANGE-L@midrange.com'
> Cc: 'sallen@fellowes.com'
> Subject: RE: Password Validation
>
> >I want to implement a simple password validation program
> to disallow
> >passwords such as "password", the company name, etc.
>
> Sturat -
>
> You can do quite a bit without having to implement a
> password validation
> program at all....
>
> Have you looked at the following system values closely?
>
>
> With all this functionality I would think that most shops
> could get by quite
> nicely without having to validate passwords via an exit
> program.
>
>
> Kenneth
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to
> MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to
> MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
--
John Earl
johnearl@toolnet.com
PowerTech Toolworks 206-575-0711
PowerLock Network Security www.400security.com
The 400 School
www.400school.com
--
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
