OpenVMS Password Policysm
PARSEC Group has developed an easy-to-implement, site-specific, password policy for OpenVMS V6.2 and later systems. This allows more control and enforcement of password policies than what is built into OpenVMS. Read Password Policies for more general information about setting up a policy.
The character set used for passwords is divided into four groups of characters. These are:
- Upper-case characters (A-Z)
- Lower-case characters (a-z) - Note: available with OpenVMS V7.3-2 and later
- Numeric characters (0-9)
- Other characters
Many password policies require the use of multiple characters from each group which makes it tougher for a hacker to guess. Using all groups of characters guarantees that it is not in a dictionary and provides many more combinations of characters for a more secure password. The policy should disallow the use of the username and several other common practices as part of the password. Once a policy has been set up, the operating system should enforce the policy as much as reasonable since some users may not be trusted to follow it and others might forget some details.
Password Policy Features
The PARSEC Group OpenVMS Password Policysm is a flexible module that may be configured using logical names. Basic password policy features include:
- Minimum number of groups of characters required
Users may be required to use characters from multiple groups of characters. On versions of OpenVMS which do not support lower-case characters, and for accounts which have not had this feature enabled, lower-case characters will not be required.
- Minimum number of characters from each group
Users may be required to use a minimum number of characters from each of the four groups
- Limit number of repeated characters
Passwords such as "testing777" may be prevented due to the same character being repeated too many times
- Limit number of sequenced characters
Passwords such as "testing123" and "321blastoff" may be prevented due to too many characters in a sequence
- Prevent use of username
The username may be prevented from being a portion of the password
- Prevent use of owner
The user may be prevented from using any component of the owner field longer than one character as part of the password
- Prevent use of passwords found in past breaches
The user may be prevented from using any password which has been found in previous data breaches
- Minimum password length
A system-wide minimum password length may be set to prevent an account from being intentionally or unintentionally set with too few characters
Other features include:
- Maximum Length Checked
The policy may be set to be enforced within the first portion of the password. For example, a user could specify a 30-character password, but the minimum number of character groups and the minimum number of groups of characters may be required to be present in the first 12 characters.
The user may be notified about which portions of the policy that is not met by their chosen password. This makes it easier for them to choose a secure password.
- Hash Value Check
The hashed value of the password may also be checked. While the user does not directly control this, a weak hashed value can make passwords easier to compromise.
- Account Exclusion
Specific accounts may be excluded from enforcement of the policy based on corporate needs.
Requirements: One of the following versions of OpenVMS is required:
- VSI OpenVMS I64 V8.4-1H1 or later
- HP OpenVMS I64 V8.2 or later
- VSI OpenVMS Alpha V8.4-2L1 or later
- HP OpenVMS Alpha V6.2 or later
- OpenVMS VAX V6.2 or later
You may download the PCSI kit for the password policy or review the on-line documentation. Right-click on the link and choose "Save link as..." to save the file on your PC and then transfer it to your OpenVMS system for installation using FTP. Before installing, be sure to request a license from PARSEC Group.
If this policy does not meet your needs, please contact us about developing a custom password policy based on your security policy.