From VSI OpenVMS Wiki
Jump to: navigation, search

A password is a set of characters that servers to authenticate users on an OpenVMS system. Encrypted user passwords are stored in SYSUAF.

When a user record is created, the primary password is assigned to that user with the /PASSWORD qualifier. By default, the password is pre-expired, not case sensitive.

Primary and secondary passwords

A secondary password can be added to a user record on siter with high-level security concerns. Typically, the user does not know the secondary password, and a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. The effectiveness of a secondary password depends on the trustworthiness of the supervisor who supplies it because the supervisor can remove the secondary password by changing it to a null string.

System password

System passwords are used for terminals that may be targets for unauthorized use. They are not related to user record passwords in any way except that they can also be defined in the AUTHORIZE utility.

Password standards

Maintain the appropriate level of password protection on your system through the use of relevant UAF flags and qqualifiers as well as logical names.

Password history

See full article

By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained. Password history may be disabled by using the DISPWDHISflag on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.

Password dictionary

See full article

OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file. You may disable dictionary checking by setting the DISPWDDIC flag on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.

Minimum password length

TTo specify the minimum password length, use the /PWDMINIMUM qualifier. By default, it is 6 characters. Generally, long passwords are stronger, but in OpenVMS it does not usually make sense to set minimum password length to more than 10 characters. There are restrictions on using the /GENERATE_PASSWORD qualifier with the /PWDMINIMUM qualifier. Generated passwords have an absolute length of 12 characters. Whenever there is a conflict between the value of /PWDMINIMUM and a generated password, the operating system uses the lesser of the two values.

Generated passwords

System generated passwords are random and therefore hard to guess. You can force users to use automatically generated passwords by setting the GENPWD flag. To set a generated password on a new user account, use the /GENERATE_PASSWORD. This qualifier works for both primary and secondary password.

Password lifetime

Typically, passwords should be changed regularly (usually every 30 to 90 days for privileged users and every 90 to 180 days for normal users) to limit unauthorized use of a compromised password. This makes it harder to guess the password by just watching the user type it. To specify the length of time a password is valid, use /PWDLIFETIME with a delta time as the value. You can also specify the minimum length of time that the password must be remained unchanged by defining LGI$PASSWORD_NOCHANGE_DAYS. If you specify /NOPWDLIFETIME, the user’s password will never expire; however, this is not recommended. You need to set this if you are setting the DISFORCE_PWD_CHANGE flag, because if you don’t, the first time the user logs in they will not be prompted to change their password and when they log out, they will be locked out of the system. Several days before the user’s password expires, a warning message is displayed upon login. You can set the number of days by defining LGI$EXPIRATION_WARNING_DAYS. By default, the password that you specify with the AUTHORIZE utility is subject to change by the user at login. However, sometimes (e.g. with captive accounts) you do not want the user to change the password. To prevent the user from changing the password, use the LOCKPWD flag.

Pre-expired passwords

Passwords you specify with AUTHORIZE are defined as expired by default. This forces the user to change the initial password when first logging in. The user's current password is pre-expired if the date of the last password change in their SYSUAF record is listed as "(pre-expired"). If you do not want the password you define with AUTHORIZE to be pre-expired, add the qualifier /NOPWDEXPIRED when entering the password. This is necessary for accounts when users are not permitted to set their own password.