Is there a way to encrypt MPE logon passwords to keep auditors satisfied that the HP 3000 is secure? We need to show that they cannot be easily read with the ;pass parameter (i.e. listuser xxx.yyy;pass)
The replies generated one of the longest threads of the month on the 3000-L.
Tracy Johnson offered an opinion that “the answer to your auditors is not in encrypting passwords. The answer lies in restricting AM and SM capability to only those key personnel who can use the the “;pass” parameter within established policy. AM and SM capability also presumes the same capability to change another user’s password, and therefore also the ability to look it up.”
Chris Boggs reported in a virtual testimonial that “Our auditors were not satisfied by even limiting SM and AM capabilities to only two individuals (both in our department). Since we had Vesoft's Security/3000 already, I changed our regular logon ID’s to use the Vesoft password which is encrypted.
"There are other features in Vesoft security which are handy when dealing with auditors such as password obsolescence, password “history,” minimum password standards, inactivity logouts, day/time restrictions, automatic deactivation of logonID’s after a certain number of failed logon attempts, and probably a few others.”
Bradmark’s Jerry Fochtman said some Interex Contributed Software Library routines can help. “I developed a routine to return the passwords for user/group/account (based upon caller’s capabilities) during this time. It also signaled if the password was encrypted, simply returning blanks in this case. There was another routine which given a password, would encrypt it based upon HP’s approach and tell the caller if the entered password matched the one in the system directory.”
Fochtman also took note of the Vesoft abilities and added his humble opinion on the security solution from Monterrey Software, “SAFE/3000. It also utilizes one-way encryption for its passwords. And in terms of strictly security, it is a better tool in several areas, such as network security.”
Michael Gueterman, whose company Easy Does It Technologies does pre-audits for 3000 sites, added notes on using only session-level passwords.
“That’s fine for some things, but I still recommend keeping at least MPE Account passwords in place for all but the most “open” areas. For accounts with SM or PM, I also recommend MPE User passwords as well. Also, when at all possible, explicitly define what people are ALLOWED to access, instead of using generic wildcards. Wildcards make auditors unhappy, and an unhappy auditor is dangerous!”