OnDemand Users Group

Support Forums => CMOD for Multiplatforms => Topic started by: karmiller on October 16, 2012, 04:54:58 PM

Title: ARSUSEC password requirements
Post by: karmiller on October 16, 2012, 04:54:58 PM
Just curious if anyone out there has implemented something similar to the following for password requirements.  We have a new corporate policy which is requiring the following for password usage and unfortunately OnDemand does not meet the requirements.

Passwords must be of at least eight (8) characters and a combination of {alphabetic}, {upper and lower case}, {numbers}, and {special characters} (combination of any three [3] of the above four [4] listed is acceptable).
Title: Re: ARSUSEC password requirements
Post by: demaya on October 17, 2012, 06:36:41 AM
In my company some harder requirements are coming. I bypassed this by switching to LDAP auth ;-) If our windows meets the requirements, OD does too. So no more problems... (at least for me).

The so called 'Security Enhancements' in 9.0 don't bring something like this up:
The following security enhancements were added:
1 You can now specify user IDs and passwords through encrypted files (stash files), instead of specifying them through the command line or a file.
2 OnDemand now tracks the following login activity:
   - The number of times a user attempts to login.
   - The last time a user logged in.
   - The last time a user changed his password and number of times he changed his password.
You can use this information to enforce security policies; for example, forcing the user to not reuse the five most recent passwords.
Link: http://pic.dhe.ibm.com/infocenter/cmod/v9r0m0/index.jsp?topic=%2Fcom.ibm.ondemand.doc%2Fod90new.htm

Cheers
Title: Re: ARSUSEC password requirements
Post by: Alessandro Perucchi on October 18, 2012, 10:38:56 AM
Haaa the stupid enforcement of password rules.... this is too long to explain it here, why I think that... and not the place... and you won't be able to change that, because it comes from other places where they "know" better... ( I would personally enforce minimum passphrase of at least 30 chars minimum... with eventually not twice the same password... that's all.)

Well, if CMOD doesn't give you the model for password that you want / need, as mayach said, switch to LDAP, then it will be the LDAP task to handle the change of password rules / authentication.

If you cannot use LDAP, and CMOD (even V9) doesn't have the rules you want / need, then the only solution is to write a SECURITY User Exit for that, and then you are free to do whatever rule you might want.

Check that page: http://publib.boulder.ibm.com/infocenter/cmod/v8r5m0/topic/com.ibm.ondemand.installingmp.doc/ars1i071689.htm#secuexit (http://publib.boulder.ibm.com/infocenter/cmod/v8r5m0/topic/com.ibm.ondemand.installingmp.doc/ars1i071689.htm#secuexit)

Sincerely yours,
Alessandro
Title: Re: ARSUSEC password requirements
Post by: demaya on October 18, 2012, 10:45:40 AM
If you didn't know it already: http://xkcd.com/936/

I love this one :)
Title: Re: ARSUSEC password requirements
Post by: Justin Derrick on October 18, 2012, 12:56:46 PM
I've switched all my passwords to be unfathomably long, but easy for me to remember...  It actually doesn't take very long to get used to it.

The old password hashing algorithm in CMOD 8.4 and earlier was limited to 8 characters in length.  You could enter a longer password, but it only used the first 8 characters to calculate the password hash.  I haven't tested the latest version of CMOD, but with the switch to a new hashing method in CMOD 8.5, I expect that this limitation would have been eliminated.

-JD.
Title: Re: ARSUSEC password requirements
Post by: Alessandro Perucchi on October 19, 2012, 12:33:36 AM
In 8.5 the password length you could enter and that the user exit can get is 128 chars. I have a customer who needed something like 4096 to pass their token.
And now with CMOD 9, it allows a password of infinite length :-) so now you passphrase can be a bookphrase :-D  ;D
Title: Re: ARSUSEC password requirements
Post by: karmiller on October 29, 2012, 08:30:24 PM
I understand that we nned to modify the ARSUSEC program.  Just looking for someone to do it for us.  Tried contacting a consulting firm and also tried to get IBM to provide a SOW on doing the work.  Guess no on wants a job.
Title: Re: ARSUSEC password requirements
Post by: pankaj9 on April 12, 2021, 08:37:35 AM
Hi,

We have got same requirement in our organization where we want to setup alpha numeric passwords for CMOD users. But with CMOD 10.5 also we dont have these restrictions in place with CMOD system parameters.
Can you please let me know if you were able to get user exit which can be used to meet this requirement of alphanumeric password? If you have user exit available then can you please share that sample code with us so that we can use it to customize as per our requirement?
Title: Re: ARSUSEC password requirements
Post by: Justin Derrick on April 12, 2021, 01:43:03 PM
You should probably consider switching to LDAP authentication, so that your enterprise password requirements can be enforced on CMOD with minimal effort.

-JD.
Title: Re: ARSUSEC password requirements
Post by: rjrussel on May 24, 2021, 08:47:17 PM
As Justin said, you definitely should consider LDAP for authentication. Having a single place to handle password requirements is far more ideal than at the application layer.  You do not want to be updating every application when your password requirements change.

-RR

Title: Re: ARSUSEC password requirements
Post by: Lars Bencze on July 12, 2021, 08:51:11 AM
Hey @karmiller & @pankaj9 - if you still need help with customizing the ARSUSEC exit, send me a PM. I have done it several times before.
PS: Another good-to-have is a list of "unacceptable passwords", such as "12345678" and others. I've done that too with ARSUSEC.