Thanksgiving was celebrated last month in Canada where it is also called Jour de l'Action de grace and represents the end of the harvest. In the United States, we celebrate in November and give thanks to the Native Americans for keeping the English colonists from starving in the dead of winter.
The end of October saw us wrapping up two weeks of classes on the topic of NonStop security in our southern California office. Professionals attended from Malaysia, Mexico and the USA, representing manufacturing, energy and financial companies. Both our Securing Your HP NonStop Environment with Safeguard and XYGATE and the follow-on Comprehensive HP NonStop Security courses were sold out, confirming that protection of corporate information is essential, even in a down economy.
We enjoy hosting customers in our office because, like our products, it supports our mission of contributing to the protection of corporate information on the computing platform that outperforms all others. Furthermore, our education program gives our developers and technical staff a better feel for what it is that our customers need to make them successful. We welcome the partnership that results from direct interaction and exchange of information with our customers and fellow vendors and hope you find it as rewarding as we do.
Speaking of partnering, and Canada, we recently took another strategic step forward by signing an agreement with Merlon Software, based in Toronto. The agreement entitles XYPRO to represent Merlon’s products worldwide. This was a serious decision for us, and we found the business case is compelling.
Where XYPRO is aimed at protection of data, Merlon focuses on database management. Merlon’s products allow you to automate management of your file and disk space, monitor and correct database degradation, analyze key-sequenced files for proper partitioning, and increase your productivity when working with SQL/MP and SQL/MX tables. And just like many XYPRO products, Merlon products allow you to manage and monitor your NonStop server from a graphical user interface on a PC, freeing you from the drudgery of looking up commands and syntax that you might use only once in a great while. In sort, this partnership helps you do more with less, and with a lot less stress for you and your staff.
Our companies have in common a dedication to excellence in customer service and the ability to build products that improve efficiency, productivity and performance in today’s complex IT environments. This partnership represents a natural progression for both companies and a great way to bring more value to the NonStop user community.
In the spirit of Thanksgiving, I would like to express my gratitude to all of our wonderful employees and partners for their dedication to making XYPRO a leader in the industry and a great place to work. And a special Thank You goes to all of our customers too, who have put their security needs our hands.
Happy Thanksgiving everyone!!
-Sheila Johnson
Wednesday, November 18, 2009
Wednesday, November 11, 2009
Auditing the HP NonStop Server: Stop the Bad Dreams!
Ever had a bad dream about an upcoming audit? The one in which you’re told you must be prepared to assist the auditors? The HP NonStop Server is not familiar territory to many auditors, which can cause a lot of anxiety for them and you. Moreover, there are times when an auditor must tackle the audit of a NonStop server immediately, without adequate time to read the appropriate reference manuals: HP NonStop Security: A Practical Handbook, Securing HP NonStop Servers In An Open Systems World: TCP/IP, OSS and SQL and The Security Management Guide. You may have read them, or looked up a topic or two – but you probably don’t know them by heart, which only adds to your stress level.
You are not alone. The following is intended to help you educate your auditor, and lead you toward gathering the pertinent information that will be needed to conduct the audit—so you can say goodbye to your bad dreams!
The Basics
Security on the NonStop server starts with the operating system, Guardian. Guardian provides a basic level of security that deals with users and diskfiles and provides limits on the READ, WRITE, EXECUTE and PURGE operations. Users in system management, operations, security, and change control generally deal with Guardian environment using the TACL command interpreter program. Guardian supports the OSS ‘personality’ which is a UNIX-like extension that can be used in place of the TACL environment using a program called OSS Shell or osh.
Safeguard is the HP supported security system that can be used to manage users, object access control lists (ACLs), auditing and security event exit processes (SEEPs). XYPRO’s proven products allow for easy use of Safeguard to manage users and object ACLsand for use of SEEPs to significantly extend Safeguard functionality. Many companies in all industries around the globe use these products to not only reduce stress but to also boost security administration accuracy and productivity.
$CMON is an optional Guardian extension that allows for control of the logon operation and the program run operation. It does not require Safeguard to be used. $CMON must either exist on the NonStop server or there must be security controls to prevent its use.
Users are given access by creating Guardian or Safeguard userids. Guardian is no longer recommended because it does not support many features available in Safeguard, most important of which is Password Expiration. Userids are specified as a groupnumber, usernumber and as a groupname, username. The groupnumber is between 0 and 255 and once the first user has been assigned to a group, the groupname will be set for all userids in the group. The usernumber is between 0 and 255, and the username must be unique within the group. There is one userid that must be on the system: 255,255, which is usually called SUPER.SUPER.
For More Info:
You can view the complete article highlighting the questions and answers surrounding some of the most common problems found on the HP NonStop server by emailing lisap@xypro.com , enter “Audit NonStop Server” in the subject line.
When a more thorough audit is planned you may want to consider using a checklist where each Security Requirement is clearly identified, and the sources of such requirement are provided. You will find a complete checklist on https://www.xypro.com//. If you follow it closely and are able to “check” every item…you may find yourself PCI, SOX (Cobit), HIPAA, and SB1386 compliant and happy to invite your Auditor in. Isn’t that a dream?!
Lauren Uroff
XYPRO Technology Corporation
You are not alone. The following is intended to help you educate your auditor, and lead you toward gathering the pertinent information that will be needed to conduct the audit—so you can say goodbye to your bad dreams!
The Basics
Security on the NonStop server starts with the operating system, Guardian. Guardian provides a basic level of security that deals with users and diskfiles and provides limits on the READ, WRITE, EXECUTE and PURGE operations. Users in system management, operations, security, and change control generally deal with Guardian environment using the TACL command interpreter program. Guardian supports the OSS ‘personality’ which is a UNIX-like extension that can be used in place of the TACL environment using a program called OSS Shell or osh.
Safeguard is the HP supported security system that can be used to manage users, object access control lists (ACLs), auditing and security event exit processes (SEEPs). XYPRO’s proven products allow for easy use of Safeguard to manage users and object ACLsand for use of SEEPs to significantly extend Safeguard functionality. Many companies in all industries around the globe use these products to not only reduce stress but to also boost security administration accuracy and productivity.
$CMON is an optional Guardian extension that allows for control of the logon operation and the program run operation. It does not require Safeguard to be used. $CMON must either exist on the NonStop server or there must be security controls to prevent its use.
Users are given access by creating Guardian or Safeguard userids. Guardian is no longer recommended because it does not support many features available in Safeguard, most important of which is Password Expiration. Userids are specified as a groupnumber, usernumber and as a groupname, username. The groupnumber is between 0 and 255 and once the first user has been assigned to a group, the groupname will be set for all userids in the group. The usernumber is between 0 and 255, and the username must be unique within the group. There is one userid that must be on the system: 255,255, which is usually called SUPER.SUPER.
For More Info:
You can view the complete article highlighting the questions and answers surrounding some of the most common problems found on the HP NonStop server by emailing lisap@xypro.com , enter “Audit NonStop Server” in the subject line.
When a more thorough audit is planned you may want to consider using a checklist where each Security Requirement is clearly identified, and the sources of such requirement are provided. You will find a complete checklist on https://www.xypro.com//. If you follow it closely and are able to “check” every item…you may find yourself PCI, SOX (Cobit), HIPAA, and SB1386 compliant and happy to invite your Auditor in. Isn’t that a dream?!
Lauren Uroff
XYPRO Technology Corporation
Wednesday, November 4, 2009
XYPRO® Announces Strategic Reseller Relationship with Merlon
Los Angeles, Calif. (4, November 2009) XYPRO Technology Corporation, a leading provider of security software for HP NonStop™ Server environments, today announced a strategic partnership with Merlon Software Corporation of Toronto, Canada. Effective immediately, XYPRO will represent Merlon’s database management software solutions on a global scale.
“XYPRO offers a superior security solution set for businesses running on HP NonStop servers. With Merlon’s expertise and comprehensive offering in database management on the same computing platform, this partnership made complete sense,” said Rick Pettifer, CEO at Merlon. “XYPRO is a leader in the NonStop space, offering worldwide distribution channels as well as unmatched customer service to every client around the globe. With economies of scale, this really presented itself as a natural progression and a great fit for both of us.”
“Merlon products provide companies who rely on NonStop servers for storing and processing vast amounts of data with the means to efficiently administer even the most complex database environments. Demand for these solutions is high because they introduce operational simplicity and consistency vital to strengthening productivity and performance,” said Sheila Johnson, CEO at XYPRO. “We are very pleased to offer their unparalleled database management solutions. By partnering with Merlon, we can offer our clients a more robust portfolio of solutions to address their mission-critical needs.”
“XYPRO offers a superior security solution set for businesses running on HP NonStop servers. With Merlon’s expertise and comprehensive offering in database management on the same computing platform, this partnership made complete sense,” said Rick Pettifer, CEO at Merlon. “XYPRO is a leader in the NonStop space, offering worldwide distribution channels as well as unmatched customer service to every client around the globe. With economies of scale, this really presented itself as a natural progression and a great fit for both of us.”
“Merlon products provide companies who rely on NonStop servers for storing and processing vast amounts of data with the means to efficiently administer even the most complex database environments. Demand for these solutions is high because they introduce operational simplicity and consistency vital to strengthening productivity and performance,” said Sheila Johnson, CEO at XYPRO. “We are very pleased to offer their unparalleled database management solutions. By partnering with Merlon, we can offer our clients a more robust portfolio of solutions to address their mission-critical needs.”
Wednesday, October 28, 2009
Successful Security SIG
Thursday the 8th of October saw XYPRO’s British contingent (Sean and myself, Dan) heading to London for the fourth British Isles Tandem User Group (BITUG) Special Interest Group (SIG) of the year – the subject matter being very close to our heart: security.
The location was Hewlett Packard’s Wood Street offices in Moorgate, central London. If you’re a fan of Google Earth and ever find yourself visiting those offices, make sure you take a quick trip up to the top floor in one of the glass elevators – you’re assured a great view! Back to business: HP deserve a special thanks for providing their facilities, food and refreshments.
The day started off with a Connect/GTUG update (event in Germany on 18th and 19th November, with optional Security Workshop on the 20th). The two day conference element appears to have a feature-packed schedule of around seven different tracks. For any non-German speakers considering a visit, just one of those tracks is in German, so the vast majority will be in English and ideal for international visitors. We’ll update the XYPRO news feeds as soon as the schedule is completed.
Next up was an HP Security update from Iain Liston Brown who covered several products, including the use of XYPRO’s XYGATE Merged Audit (XMA) when using HP’s Compliance Log Warehouse (CLW) with NonStop servers. This was followed by an interesting presentation by James Tomaney of Barclays. Most of the ears in the room pricked up when he broached the successful move from IBM to NonStop for Barclays’ ATM network.
The afternoon saw three vendor presentations, including XYPRO’s Audit in the Enterprise. An interesting point raised was the submissions made to the DataLoss Database website, point your browser toward http://datalossdb.org/ for some rather alarming reading.
Last up was Ron LaPedis’ Volume Level Encryption presentation, exploring the various potentials for NonStop data loss and what can be done to prevent the loss and/or encrypt the data.
It was a shame that the PCI Qualified Security Assessor (QSA) had to pull out of his presentation, as I’m sure that would have made for some useful information, but that didn’t take anything away from what was still a very useful day. Fingers crossed we’ll revisit the subject of PCI compliance on NonStop in a future event – the next one being the BITUG ‘Big SIG’ on 3rd December in London (and education day on 2nd).
With the Security SIG now out of the way, the BITUG team will be turning their attention to dotting the Is and crossing the Ts on the Big SIG plans. Keep your eye on the XYPRO news feeds (LinkedIn, Facebook, Twitter, XYPRO.com etc.) and www.bitug.com for more info.
Dan Lewis
European Marketing Manager
XYPRO Technology Corporation
The location was Hewlett Packard’s Wood Street offices in Moorgate, central London. If you’re a fan of Google Earth and ever find yourself visiting those offices, make sure you take a quick trip up to the top floor in one of the glass elevators – you’re assured a great view! Back to business: HP deserve a special thanks for providing their facilities, food and refreshments.
The day started off with a Connect/GTUG update (event in Germany on 18th and 19th November, with optional Security Workshop on the 20th). The two day conference element appears to have a feature-packed schedule of around seven different tracks. For any non-German speakers considering a visit, just one of those tracks is in German, so the vast majority will be in English and ideal for international visitors. We’ll update the XYPRO news feeds as soon as the schedule is completed.
Next up was an HP Security update from Iain Liston Brown who covered several products, including the use of XYPRO’s XYGATE Merged Audit (XMA) when using HP’s Compliance Log Warehouse (CLW) with NonStop servers. This was followed by an interesting presentation by James Tomaney of Barclays. Most of the ears in the room pricked up when he broached the successful move from IBM to NonStop for Barclays’ ATM network.
The afternoon saw three vendor presentations, including XYPRO’s Audit in the Enterprise. An interesting point raised was the submissions made to the DataLoss Database website, point your browser toward http://datalossdb.org/ for some rather alarming reading.
Last up was Ron LaPedis’ Volume Level Encryption presentation, exploring the various potentials for NonStop data loss and what can be done to prevent the loss and/or encrypt the data.
It was a shame that the PCI Qualified Security Assessor (QSA) had to pull out of his presentation, as I’m sure that would have made for some useful information, but that didn’t take anything away from what was still a very useful day. Fingers crossed we’ll revisit the subject of PCI compliance on NonStop in a future event – the next one being the BITUG ‘Big SIG’ on 3rd December in London (and education day on 2nd).
With the Security SIG now out of the way, the BITUG team will be turning their attention to dotting the Is and crossing the Ts on the Big SIG plans. Keep your eye on the XYPRO news feeds (LinkedIn, Facebook, Twitter, XYPRO.com etc.) and www.bitug.com
Dan Lewis
European Marketing Manager
XYPRO Technology Corporation
Wednesday, October 21, 2009
Stockholm Calling
The last four months of 2009 sees a relative flurry of activity for the NonStop community in Europe. The first of six different outings in the space of three months started with the Viking NonStop User Group’s (VNUG) annual event. This year it was held in Sweden at the Vidbynäs Slott golf hotel in Nykvarn. That’s about an hour from Stockholm, or more like an hour and a half if you had our taxi driver, whose aptitude for navigation was matched only by our grasp of Swedish - what goes around comes around I guess!
This is XYPRO’s sixth visit to the well run and very friendly VNUG event, which has never been held in the same location twice and switches between Finland and Sweden – sometimes literally, as was the case of the ferry-based conference a couple of years ago!
Day one (28th September) was an optional education or golf day. The accredited education (Troubleshooting in the NonStop OSS Environment) was provided by HP at its Solna office and the golf was on the very picturesque course next to the conference hotel. We were unable to attend either this year, arriving late in the evening on the 28th, but on talking to the golf participants in the bar, it sounds like we were spared a tough afternoon of searching through aggressive rough and the loss of several balls to tricky water hazards!
Days two and three (29th, 30th September) saw the conference proper. A busy agenda of eight vendor presentations, two slots from HP (interesting to hear about the launch of quad core blades in 2010/2011) user presentations, and an HP Q&A session.
XYPRO’s PCI compliance and enterprise auditing presentation was scheduled in for just after lunch on the 29th. That turned out to be great timing, as everyone left lunch in an upbeat mood after having had some very good food.
Later that day saw all participants divided into teams for the VNUG competition. This involved walking the Vidbynäs Slott grounds answering NonStop-based quiz questions. An expertly timed beer stop after question four ensured everyone had enough lubrication to complete the full ten questions without any hardship. Proving that my team was paying full attention during the day’s presentations, I found myself in the joint winning team (9 out of 10 correct) and recipient of a rather splendid chopping board and carving kit – which later resulted in a fine from British Airways for overweight baggage, but that’s a different story! More great food and wine at dinner set the scene for a good evening of business networking and competitions in the pool lounge upstairs...
Day three picked up where the conference part of day two had ended. HP’s NonStop Programs Marketing Manager, Diana Cortes’ update made for some interesting viewing, including news of the Connect Global NonStop Summit being planned for October or November 2010 in California – exact details are still being finalised. The conference came to an end mid afternoon on the 30th, with presentation of various vendor and VNUG competition prizes – congratulations to Esa from Nordic Processor who won XYPRO’s prize, a wireless iPod dock.
Our thanks to Tommy Johansson and everyone at VNUG for putting on another excellent event. We’ll hopefully see you again in December for the unofficial ‘VNUG Christmas Beers’ I was talking to Sami about! Failing that, we look forward to VNUG 2010.
See the XYPRO calendar for all upcoming European and global events we’ll be attending.
Dan Lewis
European Marketing Manager
XYPRO Technology
This is XYPRO’s sixth visit to the well run and very friendly VNUG event, which has never been held in the same location twice and switches between Finland and Sweden – sometimes literally, as was the case of the ferry-based conference a couple of years ago!
Day one (28th September) was an optional education or golf day. The accredited education (Troubleshooting in the NonStop OSS Environment) was provided by HP at its Solna office and the golf was on the very picturesque course next to the conference hotel. We were unable to attend either this year, arriving late in the evening on the 28th, but on talking to the golf participants in the bar, it sounds like we were spared a tough afternoon of searching through aggressive rough and the loss of several balls to tricky water hazards!
Days two and three (29th, 30th September) saw the conference proper. A busy agenda of eight vendor presentations, two slots from HP (interesting to hear about the launch of quad core blades in 2010/2011) user presentations, and an HP Q&A session.
XYPRO’s PCI compliance and enterprise auditing presentation was scheduled in for just after lunch on the 29th. That turned out to be great timing, as everyone left lunch in an upbeat mood after having had some very good food.
Later that day saw all participants divided into teams for the VNUG competition. This involved walking the Vidbynäs Slott grounds answering NonStop-based quiz questions. An expertly timed beer stop after question four ensured everyone had enough lubrication to complete the full ten questions without any hardship. Proving that my team was paying full attention during the day’s presentations, I found myself in the joint winning team (9 out of 10 correct) and recipient of a rather splendid chopping board and carving kit – which later resulted in a fine from British Airways for overweight baggage, but that’s a different story! More great food and wine at dinner set the scene for a good evening of business networking and competitions in the pool lounge upstairs...
Day three picked up where the conference part of day two had ended. HP’s NonStop Programs Marketing Manager, Diana Cortes’ update made for some interesting viewing, including news of the Connect Global NonStop Summit being planned for October or November 2010 in California – exact details are still being finalised. The conference came to an end mid afternoon on the 30th, with presentation of various vendor and VNUG competition prizes – congratulations to Esa from Nordic Processor who won XYPRO’s prize, a wireless iPod dock.
Our thanks to Tommy Johansson and everyone at VNUG for putting on another excellent event. We’ll hopefully see you again in December for the unofficial ‘VNUG Christmas Beers’ I was talking to Sami about! Failing that, we look forward to VNUG 2010.
See the XYPRO calendar for all upcoming European and global events we’ll be attending.
Dan Lewis
European Marketing Manager
XYPRO Technology
Wednesday, October 14, 2009
Use XSW to save time and money for HP NonStop file reports and compliance
Part 1of 3
Why would you even think of using DSAP for PCI, SOX, HIPAA or other security compliance reports? Yes you can create DSAP reports on HP NonStop Guardian files, such as PROGID, LICENSE, files greater than some size, security settings or owners, but killing hours and hours of your time. Creating these reports for a just a single node would take hours and what you would have is a pile of useless paper! I feel sorry for the wasted trees.
Using XYPRO’s Security Compliance Wizard (XSW) can save you all that grief and time to generate PCI, SOX, HIPAA or other security compliance reports. Don’t waste your time! XSW can automatically create these custom reports for you in minutes, instead of hours or days. In addition, it can be streamlined to identify only changed files, thus saving many hours of analysis work. XSW can collect from multiple systems and generate combined reports from the multiple systems, something you just can’t do with any other tool.
- Ellen Alvarado
NonStop Security Specialist
Why would you even think of using DSAP for PCI, SOX, HIPAA or other security compliance reports? Yes you can create DSAP reports on HP NonStop Guardian files, such as PROGID, LICENSE, files greater than some size, security settings or owners, but killing hours and hours of your time. Creating these reports for a just a single node would take hours and what you would have is a pile of useless paper! I feel sorry for the wasted trees.
Using XYPRO’s Security Compliance Wizard (XSW) can save you all that grief and time to generate PCI, SOX, HIPAA or other security compliance reports. Don’t waste your time! XSW can automatically create these custom reports for you in minutes, instead of hours or days. In addition, it can be streamlined to identify only changed files, thus saving many hours of analysis work. XSW can collect from multiple systems and generate combined reports from the multiple systems, something you just can’t do with any other tool.
- Ellen Alvarado
NonStop Security Specialist
Wednesday, October 7, 2009
How to Resist a Dictionary Attack:
Password Quality is Key
If you’re a security or network administrator, then you probably already know that withstanding a dictionary attack is a common security requirement. For those who may not know, a dictionary attack refers to the general technique of trying to guess some secret, usually a password, by running through a list of likely possibilities, often a list of words from a dictionary.
So, what type of password can resist a dictionary attack? Well, one that is not a word that can be found in any dictionary, of course! Simply put, the best defense against a dictionary attack is a strong password composed of a combination of different types of characters.
Password Quality is Key!
Password quality is so critical that it is a PCI compliance requirement. Further, password quality plays a key role in resisting even a brute force attack because password cracking programs, used for such attacks, work by applying all the common variations of every word in the dictionary. They generate character sequences working through all possible one-character passwords, then two character, then three character, etc. The variations of words are encrypted and then the resulting hashes are compared to the hashes in the password file being cracked. If the hashes match, the password is known
Our Solution
XYPRO’s Password Quality (XPQ) software has helped numerous users effectively resist a dictionary attack. XPQ provides a wide range of password strengthening techniques, forcing users to create passwords that are able to withstand a dictionary attack. XPQ can be configured to require the following of users when creating or changing their passwords:
• Include both upper and lower case characters
• Include special characters in the password
• Include control characters in the password
• Include letters and numbers in the password
• Do not include any part of the user’s logon ID in the password
• Use password length of up to 64-characters long
What’s more, the rules can be mixed and matched to meet any site’s password quality requirements. Along with a minimum password length, periodic password expiration, and password history tracking, passwords created with XPQ-enforced rules would be virtually unbreakable via a dictionary attack.
In addition to enforcing Password Quality rules, XPQ offers yet another approach to withstanding a dictionary attack – generated passwords. If XPQ is configured to take advantage of this function, the generated passwords always match your configured quality rules and, therefore, are not vulnerable to a dictionary attack. Because many dictionary attacks target privileged userids such as SUPER.SUPER or the application owners, companies could establish a policy of always using generated passwords for their privileged userids.
The Proof is in the Numbers
The table below shows the amount of time* a successful brute force attack takes, depending on the combination of characters used in the password.
*The numbers should not be interpreted as actual time. The speed of the attack depends on multiple factors including computing resources, password encryption level, etc. However the table is a good illustration of how important enforcing password quality rules is for brute force attack resistance. Source for statistics and calculations: http://geodsoft.com/howto/password/cracking_passwords.htm
As the table shows, cracking a “simple” seven-character password would take 22.3 hours, while the same seven-character password composed of mixed case characters extends the attack time to 3.91 months. Adding numbers and symbols to the password, extends the time needed to process all possible combinations to more than two years. So, if a password is also changed regularly, this can mean an extended state of security against an attack.
Bottom line: Don’t let your system and critical data be left vulnerable to attack due to easily decoded passwords. Maximize XPQ to keep your passwords up to par!
Want to learn more? Visit us at www.xypro.com
If you’re a security or network administrator, then you probably already know that withstanding a dictionary attack is a common security requirement. For those who may not know, a dictionary attack refers to the general technique of trying to guess some secret, usually a password, by running through a list of likely possibilities, often a list of words from a dictionary.
So, what type of password can resist a dictionary attack? Well, one that is not a word that can be found in any dictionary, of course! Simply put, the best defense against a dictionary attack is a strong password composed of a combination of different types of characters.
Password Quality is Key!
Password quality is so critical that it is a PCI compliance requirement. Further, password quality plays a key role in resisting even a brute force attack because password cracking programs, used for such attacks, work by applying all the common variations of every word in the dictionary. They generate character sequences working through all possible one-character passwords, then two character, then three character, etc. The variations of words are encrypted and then the resulting hashes are compared to the hashes in the password file being cracked. If the hashes match, the password is known
Our Solution
XYPRO’s Password Quality (XPQ) software has helped numerous users effectively resist a dictionary attack. XPQ provides a wide range of password strengthening techniques, forcing users to create passwords that are able to withstand a dictionary attack. XPQ can be configured to require the following of users when creating or changing their passwords:
• Include both upper and lower case characters
• Include special characters in the password
• Include control characters in the password
• Include letters and numbers in the password
• Do not include any part of the user’s logon ID in the password
• Use password length of up to 64-characters long
What’s more, the rules can be mixed and matched to meet any site’s password quality requirements. Along with a minimum password length, periodic password expiration, and password history tracking, passwords created with XPQ-enforced rules would be virtually unbreakable via a dictionary attack.
In addition to enforcing Password Quality rules, XPQ offers yet another approach to withstanding a dictionary attack – generated passwords. If XPQ is configured to take advantage of this function, the generated passwords always match your configured quality rules and, therefore, are not vulnerable to a dictionary attack. Because many dictionary attacks target privileged userids such as SUPER.SUPER or the application owners, companies could establish a policy of always using generated passwords for their privileged userids.
The Proof is in the Numbers
The table below shows the amount of time* a successful brute force attack takes, depending on the combination of characters used in the password.
*The numbers should not be interpreted as actual time. The speed of the attack depends on multiple factors including computing resources, password encryption level, etc. However the table is a good illustration of how important enforcing password quality rules is for brute force attack resistance. Source for statistics and calculations: http://geodsoft.com/howto/password/cracking_passwords.htm
As the table shows, cracking a “simple” seven-character password would take 22.3 hours, while the same seven-character password composed of mixed case characters extends the attack time to 3.91 months. Adding numbers and symbols to the password, extends the time needed to process all possible combinations to more than two years. So, if a password is also changed regularly, this can mean an extended state of security against an attack.
Bottom line: Don’t let your system and critical data be left vulnerable to attack due to easily decoded passwords. Maximize XPQ to keep your passwords up to par!
Want to learn more? Visit us at www.xypro.com
Subscribe to:
Comments (Atom)
Posts
