XPQ: How to implement split password.

XPQ: How to implement split password.

Example of a PQGROUP entry for the PQACL file:
 
! Split password creation
!
PQGROUP SPLIT_PASSWORD_EXAMPLE
   ACL $AUTHORIZED
   OWNER $SECURITY
   MEMBERS $SENSITIVE
   PASSWORD_EXPIRE off
   SPLIT 2
 
The customer needs to run the password command as a member of the OWNER group. The MEMBERS specified ($SENSITIVE group) are the userids that need to have split passwords. The ACL list ($AUTHORIZED group) specifies which userids that the OWNER may designate (# specified in SPLIT keyword) to write down parts of the password.  It is recommended to have more userids contained within the ACL list than the number of ?required? userids as specified by the SPLIT keyword to ensure that adequate personnel are on-site when a password change is required.
 
Example of steps to implement a SPLIT password change:
  1. The OWNER ($SECURITY group) will execute the XYGATEPQ PASSWORD program specifying a MEMBERS ($SENSITIVE group) userid as the one to be changed.
PASSWORD <group>.<user> or <grp nbr>,<usr nbr>
  1. The software will prompt for the OWNER to enter which userids (specified in the ACL ($AUTHORIZED group)) will participate in the split password procedure.  The OWNER needs to select the total number of users that are specified by the SPLIT keyword value (i.e., 2).
  2. The software will locate the logged-on userids that were specified by the OWNER and will display them for selection.  There may be more than one (1) terminal displayed, if a user is logged on multiple times.
  3. The OWNER needs to contact the users he specified and tell them that they were selected to participate in the SPLIT password procedure.  The OWNER needs to determine (asking the involved users) which of their terminals will be PAUSED if more than one was displayed.
  4. After the OWNER has selected the PAUSED terminals, the software will proceed.
  5. The software will prompt the OWNER and each designated user (at their paused terminal) to ask them to enter their USERID?s password for additional authentication.
  6. If proper credentials are entered, the software will tell each user the sequence number of the split password that they are receiving (i.e., 1 of ?N?, 2 of ?N?, and so on).  They will also receive their portion of a ?system-generated? password and be requested that they write it down before an expiration timer trips and blanks their screen.
  7. After the users have written down their portion of the password and allowed the software to continue, they will be prompted to re-enter the just received password fragment to verify that they have a valid copy.
  8. Once this is done and correct, each user should put their piece of paper or form into an envelope that has the name of the changed userid and the password sequence number listed on its front.  I would also suggest adding the ?current? date and the user?s name and signature for auditing purposes. 
USERID:      SUPER.SUPER
PSWD SEQ:  2 of ?N?
DATE:         09/20/2012
USER:         JOHN DOE
SIGNED:      _______________
  1. Then the envelope should then be placed in a secure location.  Depending on their security policy, the secure location may hold ALL portions of the password or they may be physically separated for even greater protection against misuse.
 If this article did not provide a solution, please open a case with our support team by sending an email message to support@xypro.com.