OpenVMS Password Policy
The purpose of a password, and its associated policy, is to protect the resources on an organization's network. To be effective, all passwords should be strong and all users should follow both the letter and intent of a good password policy. Resources made available to the users should be properly protected so that they do not become available to other users who do not have the appropriate passwords.
A strong password is one that is not easily guessed or determined by other means by someone else. Some characteristics of strong passwords include:
- Does not exist in a dictionary of any language
- Has not been found in print as an example of a password
- Includes upper-case, lower-case, numeric and special characters
- Not based on any personal information; such as names of family members, pets, phone numbers, etc.
- Not based on any common format; such as license plates, dates, phone numbers, etc.
- Longer passwords are stronger than shorter passwords
Passwords should be protected by the owner.
- Never share your password with anyone
- Never write down the password or include it in an e-mail
- Never provide clues to what the password is
- Do not use the same password for multiple environments; such as the office and ebay
- Change the password any time you think it may have been compromised
OpenVMS V8.2 and later support the use of case-sensitive passwords. This may be enabled on individual accounts by setting the PWDMIX flag in the AUTHORIZE utility. Once set, passwords may include each of the four groups of characters listed above. In earlier versions of OpenVMS, and when the PWDMIX flag is not set, all lower-case characters are converted to upper-case, and only a limited number of special characters are allowed. The minimum length of each password may also be set on a per-account basis.
OpenVMS provides and implements a password dictionary based on the English language. System managers may add to this dictionary to include words based on industry terms, company name, or other words or phrases which should not be used as passwords. The default password dictionary is SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA. To add to this, create a text file with the words to be added, each listed on separate lines. Then use the following DCL command:
CONVERT /MERGE /PAD <local-file> SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
To merge the two files. Replace the <local-file> with the file containing the words to be added.
Password Change Frequency
Typically, passwords should be changed on a regular schedule. This is done to limit the unauthorized use of a password by someone who has compromised another user's password. It also makes it harder for someone to determine the password just by watching the user type it in.
Be cautious in setting unreasonable limits to how long a password may be used. When the frequency is too short, and the passwords are hard to remember, people are likely to write the password on a piece of paper that anyone can read. Any password that is written down is less secure than a simple password that has been remembered. At other times, they choose a pattern of passwords that are easier to remember; such as including the current month as part of the password. While computers may have a hard time detecting such a pattern, most people can recognize them and then know the password for the entire year.
On the other side, if the password policy prevents the reuse of the last 10 passwords, some people will change their password 11 times in a row making the last change to set the password back to its original value. Setting a minimum password lifetime can discourage this practice since users would be required to use each chosen password for a period of time before getting back to the original password.
Common policies require privileged users to change their password every 30 to 90 days and normal, non-privileged users every 90 to 180 days. A minimum password lifetime of one to two days is the most common. When setting the policy based on privileged and non-privileged users, keep in mind that privileged users is determined not only by the privileges granted to the user's account, but also by what data that user may access. A user without any system privileges would still be considered a privileged user if they have access to classified information.
OpenVMS allows setting a password lifetime specific to each account through the AUTHORIZE utility. The minimum length of time a password must be kept before it is changed again may be set with the executive-mode, system-wide logical name LGI$PASSWORD_NOCHANGE_DAYS. By default, passwords may be changed as frequently desired by the user.
Requiring users to change their password regularly may cause some users to want to switch between two or three different passwords. This may be discouraged by utilizing a password history. These may usually be set to retain previously used passwords based on length of time, or the number of passwords retained in the history. Depending on the frequency of password changes, common practices are to retain one to three years of password history. Some experts recommend setting the password history to retain all previous passwords and thereby prevent ever reusing a previous password. This may not be practical in environments with large number of users and frequent password changes due to the amount of space required to maintain that history and the time required to check it each time the password is changed.
By default, OpenVMS maintains a password history for each user limited to the lesser of the last 60 passwords or those used during the last 365 days. Both of these may be changed with system-wide, executive mode, logical names. The logical name SYS$PASSWORD_HISTORY_LIMIT may be defined to specify the maximum number of passwords maintained for each user. The logical name SYS$PASSWORD_HISTORY_LIFETIME may be defined to specify the maximum number of days each password will be maintained.
The system should be configured to detect when someone is trying to guess the password of an account and take action to prevent access in case a password has been compromised. This may be done by disabling access to the account, either temporarily, or until a system manager takes action to re-enable the account.
By default, VMS temporarily disables accounts that it believes are being attacked. Several LGI system parameters control what is considered a login attack and what action is taken. The DCL command SHOW INTRUSION may be used by security managers to determine which accounts are currently under attack. OpenVMS supports both permanently disabling the account, and disabling account access for a period of time after the attack ceases.
Site-Specific Password Policy
OpenVMS supports the specification of additional password rules through a site-specific password policy. This may be done through the use of a shareable image named VMS$PASSWORD_POLICY and setting the system parameter LOAD_PWD_POLICY. For additional information on this, see the HP OpenVMS Guide to System Security manual or contact PARSEC Group at https://www.parsec.com/security/openvms-password.php, or call 888-4-PARSEC.