PARSEC Group 

OpenVMS Password Policy

The purpose of a password, and its associated policy, is to protect the resources on an organization's network. To be effective, all passwords should be strong and all users should follow both the letter and intent of a good password policy. Resources made available to the users should be properly protected so that they do not become available to other users who do not have the appropriate passwords.

Strong Passwords

A strong password is one that is not easily guessed or determined by other means by someone else. Some characteristics of strong passwords include:

Passwords should be protected by the owner.

OpenVMS V8.2 and later support the use of case-sensitive passwords. This may be enabled on individual accounts by setting the PWDMIX flag in the AUTHORIZE utility. Once set, passwords may include each of the four groups of characters listed above. In earlier versions of OpenVMS, and when the PWDMIX flag is not set, all lower-case characters are converted to upper-case, and only a limited number of special characters are allowed. The minimum length of each password may also be set on a per-account basis.

OpenVMS provides and implements a password dictionary based on the English language. System managers may add to this dictionary to include words based on industry terms, company name, or other words or phrases which should not be used as passwords. The default password dictionary is SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA. To add to this, create a text file with the words to be added, each listed on separate lines. Then use the following DCL command:

CONVERT /MERGE /PAD <local-file> SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA

To merge the two files. Replace the <local-file> with the file containing the words to be added.

Password Change Frequency

Typically, passwords should be changed on a regular schedule. This is done to limit the unauthorized use of a password by someone who has compromised another user's password. It also makes it harder for someone to determine the password just by watching the user type it in.

Be cautious in setting unreasonable limits to how long a password may be used. When the frequency is too short, and the passwords are hard to remember, people are likely to write the password on a piece of paper that anyone can read. Any password that is written down is less secure than a simple password that has been remembered. At other times, they choose a pattern of passwords that are easier to remember; such as including the current month as part of the password. While computers may have a hard time detecting such a pattern, most people can recognize them and then know the password for the entire year.

On the other side, if the password policy prevents the reuse of the last 10 passwords, some people will change their password 11 times in a row making the last change to set the password back to its original value. Setting a minimum password lifetime can discourage this practice since users would be required to use each chosen password for a period of time before getting back to the original password.

Common policies require privileged users to change their password every 30 to 90 days and normal, non-privileged users every 90 to 180 days. A minimum password lifetime of one to two days is the most common. When setting the policy based on privileged and non-privileged users, keep in mind that privileged users is determined not only by the privileges granted to the user's account, but also by what data that user may access. A user without any system privileges would still be considered a privileged user if they have access to classified information.

OpenVMS allows setting a password lifetime specific to each account through the AUTHORIZE utility. The minimum length of time a password must be kept before it is changed again may be set with the executive-mode, system-wide logical name LGI$PASSWORED_NOCHANGE_DAYS. By default, passwords may be changed as frequently desired by the user.

Password Reuse

Requiring users to change their password regularly may cause some users to want to switch between two or three different passwords. This may be discouraged by utilizing a password history. These may usually be set to retain previously used passwords based on length of time, or the number of passwords retained in the history. Depending on the frequency of password changes, common practices are to retain one to three years of password history. Some experts recommend setting the password history to retain all previous passwords and thereby prevent ever reusing a previous password. This may not be practical in environments with large number of users and frequent password changes due to the amount of space required to maintain that history and the time required to check it each time the password is changed.

By default, OpenVMS maintains a password history for each user limited to the lesser of the last 60 passwords or those used during the last 365 days. Both of these may be changed with system-wide, executive mode, logical names. The logical name SYS$PASSWORD_HISTORY_LIMIT may be defined to specify the maximum number of passwords maintained for each user. The logical name SYS$PASSWORD_HISTORY_LIFETIME may be defined to specify the maximum number of days each password will be maintained.

Break-in Evasion

The system should be configured to detect when someone is trying to guess the password of an account and take action to prevent access in case a password has been compromised. This may be done by disabling access to the account, either temporarily, or until a system manager takes action to re-enable the account.

By default, VMS temporarily disables accounts that it believes are being attacked. Several LGI system parameters control what is considered a login attack and what action is taken. The DCL command SHOW INTRUSION may be used by security managers to determine which accounts are currently under attack. OpenVMS supports both permanently disabling the account, and disabling account access for a period of time after the attack ceases.

Site-Specific Password Policy

OpenVMS supports the specification of additional password rules through a site-specific password policy. This may be done through the use of a shareable image named VMS$PASSWORD_POLICY and setting the system parameter LOAD_PWD_POLICY. For additional information on this, see the HP OpenVMS Guide to System Security manual or contact PARSEC Group at http://www.parsec.com/products/password/index.php, or call 888-4-PARSEC.

Disclaimer

PARSEC Group works hard to maintain the accuracy and usefulness of its data. However, we cannot accept responsibility for the use or misuse of any information contained on this site. If you believe any information contained on this site is incorrect, please let us know through the use of our inquiry form.