5610 Ward Road, Suite 110, Arvada, CO 80002.
Customer Portal Contact Us Now! +1 888 472 7732

OpenVMS Password Policysm Documentation

The steps to start using the PARSEC Group OpenVMS Password Policysm are:

  • Request a license for each system from PARSEC Group. Provide the necessary information:
    • Architecture: Integrity Servers, Alpha, VAX
    • Node name of each node
  • Install the license using VMSLICENSE.COM
  • Install the password policy
  • Edit PG$PASSWORD_SYSTARTUP.COM to configure the policy
  • Execute PG$PASSWORD_STARTUP.COM to start the policy
  • Modify the startup procedures to start the policy each time the system is booted

Character Sets

There are four classifications of characters used by the password policy. They are:

  • Upper-case
    This includes all upper-case characters A-Z
  • Lower-case
    This includes all lower-case characters a-z (available with OpenVMS V7.3-2 and later). These are not allowed on accounts which do not have the pwdmix flag set. Any portion of the password policy relating to lower-case characters is ignored for those accounts.
  • Numeric
    This includes the numbers 0-9
  • Other
    This includes all punctuation and other characters. For accounts which do not have the pwdmix flag set, this is the dollar sign and underscore characters ($ _). For accounts which do have the pwdmix flag set, this includes almost every printable character.

System Requirements

One of the following versions of OpenVMS is required:

  • VSI OpenVMS I64 V8.4-1H1 or later
  • HP OpenVMS I64 V8.2 or later
  • VSI OpenVMS Alpha V8.4-2L1 or later
  • HP OpenVMS Alpha V6.2 or later
  • OpenVMS VAX V6.2 or later

Startup and Shutdown

The OpenVMS Password Policysm is started using the SYS$STARTUP:PG$PASSWORD_STARTUP.COM command procedure. This procedure:

  • Executes SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM to define logical names for defining the policy and configuring other options
  • Installs the executable image that enforces the policy
  • Sets the LOAD_PWD_POLICY system parameter
  • Restarts the ACME (Authentication and Credential Management Extensions) server if it is running

The policy may be shut down using SYS$STARTUP:PG$PASSWORD_SHUTDOWN.COM. This procedure:

  • Resets the LOAD_PWD_POLICY system parameter
  • Restarts the ACME server if it is running
  • Uninstalls the executable image that enforces the policy

Logical Names

Logical names are used to configure the OpenVMS Password Policysm. Each of these logical names must be defined system-wide or cluster-wide in executive mode. These are normally defined in SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM.

  • PG$PASSWORD_MIN_GROUPS
    This specifies the minimum number of character sets required to be included in the password. The default value of 3 means that each password must include characters in at least three of the four classifications of characters described above. For accounts which do not have the pwdmix flag set, the value greater is limited to 3 since lower-case characters are not allowed in the password for those accounts.
  • PG$PASSWORD_MIN_UPPER
    This specifies the minimum number of upper-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
  • PG$PASSWORD_MIN_LOWER
    This specifies the minimum number of lower-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
  • PG$PASSWORD_MIN_NUMERIC
    This specifies the minimum number of numeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
  • PG$PASSWORD_MIN_OTHER
    This specifies the minimum number of non-alphanumeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
  • PG$PASSWORD_VALID_OTHER
    This defines which special characters are allowed. The default value of an empty string allows all characters to be enabled by OpenVMS. This may be used to disable the use of some characters, such as a space, which can interfere with access control strings used in network requests.
  • PG$PASSWORD_MAX_REPEAT
    This specifies the maximum number of consecutive characters allowed in the password. The default value of 2 prevents the use of AAA764B since the character A has been repeated more than two times.
  • PG$PASSWORD_MAX_SEQUENCE
    This specifies the maximum adjacent characters, such as ABC or 987, allowed in the password. The default value of 3 prevents the use of A5678_J since 5678 is more than 3 sequential characters.
  • PG$PASSWORD_MIN_LENGTH
    This specifies the minimum length for acceptable passwords. OpenVMS allows setting a minimum password length for each account. This provides a system-wide minimum.
  • PG$PASSWORD_MAX_CHECK
    When defined to a non-zero value, this sets the maximum number of characters to be checked in the password. This allows the password to be enforced in the first portion of the password while still allowing longer passwords to be used. If not defined, the default is to check the entire password.
  • PG$PASSWORD_CHECK_USERNAME
    If defined to a non-zero value, this disallows a password which contains the username as a portion of the password. For example, the password 2SMITH500 will not be allowed for the username SMITH. The check against the username is not case sensitive. By default, this check is enabled.
  • PG$PASSWORD_CHECK_OWNER
    If defined to a non-zero value, this disallows a password which contains any component of the owner field which has more than one character. For example, the password 2SMITH500 will not be allowed for an account which has the owner field set to "John R Smith". The letter R will be allowed in the password since this is a single character. This check is not case sensitive. By default, this check is enabled.
  • PG$PASSWORD_VERBOSE
    If defined to a non-zero value, messages will be displayed to the user indicating which portion of the password policy is not met when attempting to set an unacceptable password. By default, this is not enabled.
    Note: Do not enable this feature when using the ACME enabled version of LOGINOUT. This may be checked by looking for ACMELOGIN in the output from PRODUCT SHOW HISTORY.
  • PG$PASSWORD_CHECK_HASH
    When defined to a non-zero value, the hashed value of the password is checked for either half containing a value of 0 or -1. By default, this check is enabled.
  • PG$PASSWORD_DB_SERVER
    PG$PASSWORD_DB_USER
    PG$PASSWORD_DB_PASS
    PG$PASSWORD_DB_DB
    PG$PASSWORD_DB_LIMIT
    These logical names enable the check of the password against a database of password hashes. See the section on Pwned Passwords below for details.

Pwned Passwords

Current guidelines recommending checking any password against those obtained in previous data breaches. A collection of these passwords is available at Have I Been Pwned. This OpenVMS password policy can check a new password against a database of the hashed value of those passwords. To enable this feature, download the SHA-1 hashes and load into a MySQL or MariaDB database table named "hashes". That table must have two columns from that download.

  • hash - A 40 character or longer char or varchar containing the hash value
  • instance - An int containing the number of times each password has been seen in the breach

Configure an account in the database which will have read only access to the hashes table. Then configure the policy to check the database. Each of the first four logical names must be defined; they do not have default values.

  • PG$PASSWORD_DB_SERVER
    This specifies the name or IP address of the MySQL or MariaDB database server
  • PG$PASSWORD_DB_USER
    This specifies the username of the database user with read access to the hashes table
  • PG$PASSWORD_DB_PASS
    This specifies the password of the database user with read access to the hashes table
  • PG$PASSWORD_DB_DB
    This specifies the name of the database containing the hashes table
  • PG$PASSWORD_DB_LIMIT
    Setting this to a non-zero value allows the use of passwords which have been seen only a limited number of times in past data breaches

Note: This feature is not available on VAX.

Account Exclusion

The system administrator can create an identifier named PG$PASSWORD_EXCLUDE and grant it to specific users that should be excluded from enforcement of the password policy. For example:

$ set default sys$system
$ run authorize
UAF> add/identifier pg$password_exclude
%UAF-I-RDBADDMSG, identifier PG$PASSWORD_EXCLUDE value %X8001008E added to rights database
UAF> grant/identifier pg$password_exclude williams
%UAF-I-GRANTMSG, identifier PG$PASSWORD_EXCLUDE granted to WILLIAMS
UAF>

Password Testing

A utility named pg$password_policy is provided which allows testing a password for compliance with the policy without updating the account. This utility may be used by system administrators and individual users. It may be invoked in command procedures to validate a password before it is used in the authorize utility.

This utility accepts two parameters. The first parameter is the password to be validated which should be enclosed in quotes ("). The second parameter is an optional username. If not specified, then it defaults to the username of the process invoking the utility.

This utility does not check portions of the password policy which are part of standard OpenVMS; such as password history, password dictionary and minimum password length for individual accounts. It does not convert the entered password to upper case as done by OpenVMS for accounts which do not have the PWDMIX flag set.

For example:

$ check_password :== $pg$password_policy
$ check_password "hard2_Break" williams
$ check_password "weakpass"
Password must contain characters from 3 or more of the following groups
of characters:
        Upper case letters (A-Z)
        Lower case letters (a-z)
        Numeric characters (0-9)
        Other characters
%SYSTEM-E-PWDWEAK, password is too easy to guess; please choose another string

For additional information, to request a demo license, or to purchase the OpenVMS Password Policysm, please contact us at (888) 472-7732 or 888-4PARSEC, send an e-mail to experts@parsec.com or use our inquiry form.

Cookie Manager

We use cookies to enhance the features of our web site. We don't set optional cookies unless you enable them. Using this tool sets a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Preference Cookies

Preference cookies enable this site to remember information that changes the way the website behaves or looks.

Statistics Cookies

Statistic cookies help us to understand how visitors interact with the site by collecting and reporting information anonymously.

Marketing Cookies

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Cookies