Password

From VSI OpenVMS Wiki
Jump to: navigation, search

A password is a set of characters that servers to authenticate users on an OpenVMS system. Encrypted user passwords are stored in SYSUAF.

When a user record is created, the primary password is assigned to that user with the /PASSWORD qualifier. By default, the password is pre-expired, not case sensitive.

Primary and secondary passwords

A secondary password can be added to a user record on sites with high-level security concerns. Typically, the user does not know the secondary password, and a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. The effectiveness of a secondary password depends on the trustworthiness of the supervisor who supplies it because the supervisor can remove the secondary password by changing it to a null string.

System password

System passwords are used for terminals that may be targets for unauthorized use. They are not related to user record passwords in any way except that they can also be defined in the AUTHORIZE utility.

Password standards

Maintain the appropriate level of password protection on your system through the use of relevant UAF flags and qualifiers as well as logical names.

VSI strongly encourages system managers and other users to read Appendix A—Strength of Memorized Secrets of NIST Special Publication 800-63B - Digital Identity Guidelines at a minimum.

Password history

See full article

By default, OpenVMS keeps the last 60 passwords for each user for 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained. Password history may be disabled by using the DISPWDHIS flag on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords.

Password dictionary

See full article

OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file. You may disable dictionary checking by setting the DISPWDDIC flag on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.

Mixed-Case Passwords with Symbols

Setting the PWDMIX flag on a user account allows the use of an extended character set for passwords. With PWDMIX clear, the password set is A-Z,0-9,$_ and the input is converted to upper case. With PWDMIX set, the valid password character set includes most printable character on the keyboard and case is significant. Use of the space and tab characters are discouraged.

Minimum password length

To specify the minimum password length, use the /PWDMINIMUM qualifier. By default, it is 10 characters for non-privileged users and 15 for the SYSTEM account. Longer passwords are stronger. Beginning with V9.2 of VMS, the maximum password length is 64 characters. (Before using lengths over 32 characters, make sure your method of connection to the OpenVMS system permits longer passwords.) There are restrictions on using the /GENERATE_PASSWORD qualifier with the /PWDMINIMUM qualifier. Generated passwords have an absolute length of 12 characters in OpenVMS versions before V8.4-2L3. Whenever there is a conflict between the value of /PWDMINIMUM and a generated password, the operating system uses the lesser of the two values. Beginning in OpenVMS version V8.4-2L3, the maximum length of a generated password is 30 if PWDMIX is clear, and 32 if PWWDMIX is set.

Generated passwords

System generated passwords are random and therefore hard to guess. You can force users to use automatically generated passwords by setting the GENPWD flag. To set a generated password on a new user account, use the /GENERATE_PASSWORD. This qualifier works for both primary and secondary password.

Password lifetime

Current wisdom is that forced password lifetime is counter-productive for most facilities. Password change should only be forced when there is belief that breach may have occurred and then password change should be forced for all users. However, it's likely that your local policy has more strict requirements.

In a typical policy, passwords should be changed regularly (usually every 30 to 90 days for privileged users and every 90 to 180 days for normal users) to limit unauthorized use of a compromised password. This makes it harder to guess the password by just watching the user type it. To specify the length of time a password is valid, use /PWDLIFETIME with a delta time as the value. You can also specify the minimum length of time that the password must be remained unchanged by defining LGI$PASSWORD_NOCHANGE_DAYS. If you specify /NOPWDLIFETIME, the user’s password will never expire; however, this is not recommended. You need to set this if you are setting the DISFORCE_PWD_CHANGE flag, because if you don’t, the first time the user logs in they will not be prompted to change their password and when they log out, they will be locked out of the system. Several days before the user’s password expires, a warning message is displayed upon login. You can set the number of days by defining LGI$EXPIRATION_WARNING_DAYS. By default, the password that you specify with the AUTHORIZE utility is subject to change by the user at login. However, sometimes (e.g. with captive accounts) you do not want the user to change the password. To prevent the user from changing the password, use the LOCKPWD flag.

Pre-expired passwords

Passwords you specify with AUTHORIZE are defined as expired by default. This forces the user to change the initial password when first logging in. The user's current password is pre-expired if the date of the last password change in their SYSUAF record is listed as "(pre-expired"). If you do not want the password you define with AUTHORIZE to be pre-expired, add the qualifier /NOPWDEXPIRED when entering the password. This is necessary for accounts when users are not permitted to set their own password.