Password - Revision history

Dgordon: /* Password history */

2023-05-17T17:12:12Z

Password history

← Older revision		Revision as of 17:12, 17 May 2023
Line 18:		Line 18:

	By default, OpenVMS keeps the last 60 passwords for each user for 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.		By default, OpenVMS keeps the last 60 passwords for each user for 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.
	Password history may be disabled by using the [[Account flags\|~~DISPWDHISflag~~]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords.		Password history may be disabled by using the [[Account flags\|DISPWDHIS flag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords.

	==Password dictionary==		==Password dictionary==

Dgordon: /* Password standards */

2023-05-17T17:11:25Z

Password standards

← Older revision		Revision as of 17:11, 17 May 2023
Line 10:		Line 10:

	=Password standards=		=Password standards=
	Maintain the appropriate level of password protection on your system through the use of relevant UAF [[Account flags\|flags]] and ~~qqualifiers~~ as well as logical names.		Maintain the appropriate level of password protection on your system through the use of relevant UAF [[Account flags\|flags]] and qualifiers as well as logical names.

			VSI strongly encourages system managers and other users to read Appendix A—Strength of Memorized Secrets of [https://pages.nist.gov/800-63-3/sp800-63b.html NIST Special Publication 800-63B - Digital Identity Guidelines] at a minimum.

	==Password history==		==Password history==
	See [[Password History\|full article]]		See [[Password History\|full article]]

	By default, OpenVMS keeps the last 60 passwords for each user ~~or those used in the last~~ 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.		By default, OpenVMS keeps the last 60 passwords for each user for 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.
	Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords~~. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used~~.		Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords.

	==Password dictionary==		==Password dictionary==
Line 23:		Line 25:
	OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file.		OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file.
	You may disable dictionary checking by setting the [[Account flags\|DISPWDDIC flag]] on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.		You may disable dictionary checking by setting the [[Account flags\|DISPWDDIC flag]] on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.

			==Mixed-Case Passwords with Symbols==
			Setting the PWDMIX flag on a user account allows the use of an extended character set for passwords. With PWDMIX clear, the password set is A-Z,0-9,$_ and the input is converted to upper case. With PWDMIX set, the valid password character set includes most printable character on the keyboard and case is significant. Use of the space and tab characters are discouraged.

	==Minimum password length==		==Minimum password length==
	~~TTo~~ specify the minimum password length, use the /PWDMINIMUM qualifier. By default, it is 6 characters. ~~Generally, long~~ passwords are stronger, ~~but in OpenVMS it does not usually make sense to set minimum~~ password length to ~~more than 10 characters~~. There are restrictions on using the /GENERATE_PASSWORD qualifier with the /PWDMINIMUM qualifier. Generated passwords have an absolute length of 12 characters. Whenever there is a conflict between the value of /PWDMINIMUM and a generated password, the operating system uses the lesser of the two values.		To specify the minimum password length, use the /PWDMINIMUM qualifier. By default, it is 10 characters for non-privileged users and 15 for the SYSTEM account. Longer passwords are stronger. Beginning with V9.2 of VMS, the maximum password length is 64 characters. (Before using lengths over 32 characters, make sure your method of connection to the OpenVMS system permits longer passwords.) There are restrictions on using the /GENERATE_PASSWORD qualifier with the /PWDMINIMUM qualifier. Generated passwords have an absolute length of 12 characters in OpenVMS versions before V8.4-2L3. Whenever there is a conflict between the value of /PWDMINIMUM and a generated password, the operating system uses the lesser of the two values. Beginning in OpenVMS version V8.4-2L3, the maximum length of a generated password is 30 if PWDMIX is clear, and 32 if PWWDMIX is set.

	==Generated passwords==		==Generated passwords==
Line 32:		Line 37:

	==Password lifetime==		==Password lifetime==
	~~Typically~~, passwords should be changed regularly (usually every 30 to 90 days for privileged users and every 90 to 180 days for normal users) to limit unauthorized use of a compromised password. This makes it harder to guess the password by just watching the user type it. To specify the length of time a password is valid, use /PWDLIFETIME with a delta time as the value. You can also specify the minimum length of time that the password must be remained unchanged by defining LGI$PASSWORD_NOCHANGE_DAYS. If you specify /NOPWDLIFETIME, the user’s password will never expire; however, this is not recommended. You need to set this if you are setting the [[Account flags\|DISFORCE_PWD_CHANGE flag]], because if you don’t, the first time the user logs in they will not be prompted to change their password and when they log out, they will be locked out of the system.		Current wisdom is that forced password lifetime is counter-productive for most facilities. Password change should only be forced when there is belief that breach may have occurred and then password change should be forced for all users. However, it's likely that your local policy has more strict requirements.

			In a typical policy, passwords should be changed regularly (usually every 30 to 90 days for privileged users and every 90 to 180 days for normal users) to limit unauthorized use of a compromised password. This makes it harder to guess the password by just watching the user type it. To specify the length of time a password is valid, use /PWDLIFETIME with a delta time as the value. You can also specify the minimum length of time that the password must be remained unchanged by defining LGI$PASSWORD_NOCHANGE_DAYS. If you specify /NOPWDLIFETIME, the user’s password will never expire; however, this is not recommended. You need to set this if you are setting the [[Account flags\|DISFORCE_PWD_CHANGE flag]], because if you don’t, the first time the user logs in they will not be prompted to change their password and when they log out, they will be locked out of the system.
	Several days before the user’s password expires, a warning message is displayed upon login. You can set the number of days by defining LGI$EXPIRATION_WARNING_DAYS.		Several days before the user’s password expires, a warning message is displayed upon login. You can set the number of days by defining LGI$EXPIRATION_WARNING_DAYS.
	By default, the password that you specify with the [[AUTHORIZE]] utility is subject to change by the user at login. However, sometimes (e.g. with [[Captive account\|captive accounts]]) you do not want the user to change the password. To prevent the user from changing the password, use the [[Account flags\|LOCKPWD flag]].		By default, the password that you specify with the [[AUTHORIZE]] utility is subject to change by the user at login. However, sometimes (e.g. with [[Captive account\|captive accounts]]) you do not want the user to change the password. To prevent the user from changing the password, use the [[Account flags\|LOCKPWD flag]].

Dgordon: /* Primary and secondary passwords */

2023-05-17T16:19:38Z

Primary and secondary passwords

← Older revision		Revision as of 16:19, 17 May 2023
Line 4:		Line 4:

	=Primary and secondary passwords=		=Primary and secondary passwords=
	A [[Secondary password\|secondary password]] can be added to a user record on ~~siter~~ with high-level security concerns. Typically, the user does not know the secondary password, and a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. The effectiveness of a secondary password depends on the trustworthiness of the supervisor who supplies it because the supervisor can remove the secondary password by changing it to a null string.		A [[Secondary password\|secondary password]] can be added to a user record on sites with high-level security concerns. Typically, the user does not know the secondary password, and a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. The effectiveness of a secondary password depends on the trustworthiness of the supervisor who supplies it because the supervisor can remove the secondary password by changing it to a null string.

	=System password=		=System password=

Jane.doe: /* Password history */

2019-12-13T08:13:36Z

Password history

← Older revision		Revision as of 08:13, 13 December 2019
Line 14:		Line 14:
	==Password history==		==Password history==
	See [[Password History\|full article]]		See [[Password History\|full article]]

	By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.		By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.
	Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.		Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.

Jane.doe: /* Password dictionary */

2019-12-13T08:13:27Z

Password dictionary

← Older revision		Revision as of 08:13, 13 December 2019
Line 18:		Line 18:

	==Password dictionary==		==Password dictionary==
			See [[Password Dictionary\|full article]]

	OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file.		OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file.
	You may disable dictionary checking by setting the [[Account flags\|DISPWDDIC flag]] on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.		You may disable dictionary checking by setting the [[Account flags\|DISPWDDIC flag]] on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.

Jane.doe: /* Password history */

2019-12-13T08:13:00Z

Password history

← Older revision		Revision as of 08:13, 13 December 2019
Line 13:		Line 13:

	==Password history==		==Password history==
			See [[Password History\|full article]]
	By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.		By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.
	Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.		Password history may be disabled by using the [[Account flags\|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.

Darya.zelenina: Created page with "A '''password''' is a set of characters that servers to authenticate users on an OpenVMS system. Encrypted user passwords are stored in SYSUAF. When a user record is crea..."

2019-01-18T12:04:09Z

Created page with "A '''password''' is a set of characters that servers to authenticate users on an OpenVMS system. Encrypted user passwords are stored in SYSUAF. When a user record is crea..."

New page

A '''password''' is a set of characters that servers to authenticate users on an OpenVMS system. Encrypted user passwords are stored in [[SYSUAF]].

When a user record is created, the primary password is assigned to that user with the /PASSWORD qualifier. By default, the password is pre-expired, not case sensitive.

=Primary and secondary passwords=
A [[Secondary password|secondary password]] can be added to a user record on siter with high-level security concerns. Typically, the user does not know the secondary password, and a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. The effectiveness of a secondary password depends on the trustworthiness of the supervisor who supplies it because the supervisor can remove the secondary password by changing it to a null string.

=System password=
[[System password|System passwords]] are used for terminals that may be targets for unauthorized use. They are not related to user record passwords in any way except that they can also be defined in the [[AUTHORIZE]] utility.

=Password standards=
Maintain the appropriate level of password protection on your system through the use of relevant UAF [[Account flags|flags]] and qqualifiers as well as logical names.

==Password history==
By default, OpenVMS keeps the last 60 passwords for each user or those used in the last 365 days. The logical name SYS$PASSWORD_HISTORY_LIMIT specifies the maximum number of passwords maintained for each user, and SYS$PASSWORD_HISTORY_LIFETIME specifies the maximum time for which password history is maintained.
Password history may be disabled by using the [[Account flags|DISPWDHISflag]] on the account, but this is not recommended. Maintaining a password history prevents users from reusing old, possibly compromised, passwords. However, you may want to do this for the records that are seldom used to avoid having to set a new password each time that they are used.

==Password dictionary==
OpenVMS checks each new password against a system dictionary stored in SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA to ensure that it is not a native language word. To use a different file, redefine VMS$PASSWORD_DICTIONARY. To add words to the dictionary, create a text file with the words and merge it with the dictionary file.
You may disable dictionary checking by setting the [[Account flags|DISPWDDIC flag]] on the account, but this is not a good practice. Dictionary words are weak passwords and compromise the security of your system.

==Minimum password length==
TTo specify the minimum password length, use the /PWDMINIMUM qualifier. By default, it is 6 characters. Generally, long passwords are stronger, but in OpenVMS it does not usually make sense to set minimum password length to more than 10 characters. There are restrictions on using the /GENERATE_PASSWORD qualifier with the /PWDMINIMUM qualifier. Generated passwords have an absolute length of 12 characters. Whenever there is a conflict between the value of /PWDMINIMUM and a generated password, the operating system uses the lesser of the two values.

==Generated passwords==
[[Password generator|System generated passwords]] are random and therefore hard to guess.
You can force users to use automatically generated passwords by setting the [[Account flags|GENPWD flag]]. To set a generated password on a new user account, use the /GENERATE_PASSWORD. This qualifier works for both primary and secondary password.

==Password lifetime==
Typically, passwords should be changed regularly (usually every 30 to 90 days for privileged users and every 90 to 180 days for normal users) to limit unauthorized use of a compromised password. This makes it harder to guess the password by just watching the user type it. To specify the length of time a password is valid, use /PWDLIFETIME with a delta time as the value. You can also specify the minimum length of time that the password must be remained unchanged by defining LGI$PASSWORD_NOCHANGE_DAYS. If you specify /NOPWDLIFETIME, the user’s password will never expire; however, this is not recommended. You need to set this if you are setting the [[Account flags|DISFORCE_PWD_CHANGE flag]], because if you don’t, the first time the user logs in they will not be prompted to change their password and when they log out, they will be locked out of the system.
Several days before the user’s password expires, a warning message is displayed upon login. You can set the number of days by defining LGI$EXPIRATION_WARNING_DAYS.
By default, the password that you specify with the [[AUTHORIZE]] utility is subject to change by the user at login. However, sometimes (e.g. with [[Captive account|captive accounts]]) you do not want the user to change the password. To prevent the user from changing the password, use the [[Account flags|LOCKPWD flag]].

==Pre-expired passwords==
Passwords you specify with [[AUTHORIZE]] are defined as expired by default. This forces the user to change the
initial password when first logging in. The user's current password is pre-expired if the date of the last password change in their SYSUAF record is listed as "(pre-expired"). If you do
not want the password you define with [[AUTHORIZE]] to be pre-expired, add the qualifier /NOPWDEXPIRED
when entering the password. This is necessary for accounts when users are not permitted to set their own password.

[[Category:User Management]]
[[Category:Security]]
[[Category:Password]]