PowerTech Unveils New Password Utility
February 27, 2007 Alex Woodie
You’re only as strong as your weakest link. For many iSeries shops, the weakest link is an easy-to-guess password that could give attackers access to critical systems. To help iSeries shops clamp down on weak passwords, PowerTech Group last week unveiled a new utility called Password Control that identifies weak passwords and forces i5/OS users to pick passwords that are hard to guess.
OS/400 contains basic password functionality. As an OS/400 system administrator, you can require that users pick passwords with a certain number of digits, force them to pick a new password after a certain period of time has elapsed, and even require them to include alphanumeric characters in their passwords.
While these are all good controls to have in place, they don’t necessarily prevent bad passwords from seeping into the system. That’s why PowerTech launched Password Control, which checks all System i user profile passwords against a pre-defined and customizable list of more than 250,000 words.
If Password Control finds a password that matches a word on the list, it considers the password to be weak, and includes that information in a report. It’s up to the administrator to then take steps, such as expiring the password, to force the user to pick a stronger password.
The utility includes a second major function, implemented as an exit program, which prevents users from picking weak passwords when they change their passwords. That can be a handy tool to have as part of an overall security policy, especially in conjunction with OS/400’s password facilities.
Password Control’s customizable dictionary is really what sets it apart from OS/400’s basic password controls. Many of the quarter-million words shipped with Password Control come straight out of Webster’s Dictionary, but users can add as many words as they like to the dictionary, including words from any language.
The product’s dictionary also includes many commonly used first names, known default passwords, and proper names from pop culture. It can also detect common number-for-letter substitutions, which accurately reflects how people are picking passwords today.
For example, Password Control can detect the words “s3curity” (instead of “security”), “passw0rd” (instead of “password”), or “1ovely” (instead of “lovely”). OS/400 would allow these word derivatives as a password, but in reality, hackers are already looking for such letter substitutions.
Password Control can also check for reverse words, repeat words, and the presence of numbers onto the end of a password, such as “flower1,” another common technique employed by people who are looking for an easy alternative to hard-to-guess (and hard-to-remember) passwords.
“There are good password controls in OS/400, but they don’t allow you to check things such as flower. If you tried a dictionary attack it could be easily guessed,” says Brendan Patterson, PowerTech’s product manager. “Even if you enforce a digit with OS/400 controls, you can’t do flower1 with Password Control.”
PowerTech vice president of development, Jack McAfee, who spearheaded development of a similar password product while working for PentaSafe Security Technologies (since acquired by i5/OS security software developer NetIQ), says passwords are often the weakest link in a company’s security defense.
“Password Control allows administrators to prevent users from using passwords that are easily guessed. Since IBM System i servers usually host a company’s most critical business applications and data, it is imperative that user profile passwords are not easily compromised,” he says.
Password Control is available now. Pricing starts at $2,000 for a P10 system. The product supports OS/400 V5R2 or later, and works with OS/400 Password level (QPWDLVL) of 0 or 2 (it doesn’t work with the less common setting of 1 and 3, PowerTech says).
In other news, PowerTech is gearing up for its first annual user conference, which will be held next week at the Rio Hotel in Las Vegas, Nevada. The company expects more than two dozen participants, who will attend 18 sessions covering two tracks. Jim Herring, director of iSeries product management and business operations for IBM, will deliver the keynote.
PowerTech also moved its headquarters over the weekend. The company, which has more than 800 customers, needed more space, so it found a larger office in its hometown of Kent, Washington.
For more information, visit www.powertech.com.