Technical data
Security Considerations
12.2 Managing Passwords
Using the System Dictionary and the Password History List
The OpenVMS operating system automatically compares new passwords with
a system dictionary to ensure that a password is not a native language word.
It also maintains a password history list of a user’s last 60 passwords. The
operating system compares each new password with entries in the password
history list to ensure that an old password is not reused.
The system dictionary is located in SYS$LIBRARY. You can enable or disable the
dictionary search by specifying the DISPWDDIC or NODISPWDDIC option with
the /FLAGS qualifier in AUTHORIZE. The password history list is located in
SYS$SYSTEM. To enable or disable the history search, specify the DISPWDHIS
or NODISPWDHIS option to the /FLAGS qualifier.
Adding to the System Password Dictionary
You can modify the system password dictionary to include words of significance
to your site. The following procedure allows you to add words to the system
dictionary. The procedure also allows you to retain a file of the passwords that
you consider unacceptable.
1. Create a file containing passwords you want to add to the dictionary. Each
password should be on a separate line and in lowercase, as follows:
$ CREATE LOCAL_PASSWORD_DICTIONARY.DATA
somefamous
localheroes
Ctrl/Z
2. Enable SYSPRV and merge your local additions:
$ SET PROCESS/PRIVILEGE=SYSPRV
$ CONVERT/MERGE/PAD LOCAL_PASSWORD_DICTIONARY.DATA -
_$ SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
Defining Preexpired Passwords
When you add a new user to the UAF, you might want to define that user’s
password as having expired previously using the AUTHORIZE qualifier
/PWDEXPIRED. This forces the user to change the initial password when first
logging in.
Preexpired passwords are conspicuous in the UAF record listing. The entry for
the date of the last password change carries the following notation:
(pre-expired)
By default, the OpenVMS operating system forces new users to change their
passwords the first time they log in. Encourage your site to use a training
program for its users that includes information about changing passwords.
12.2.2 System Passwords
System passwords control access to terminals that might be targets for
unauthorized use, as follows:
• All terminals using dialup lines or public data networks for access
• Terminals on lines that are publicly accessible and not tightly secured, such
as those at computer laboratories at universities
• Terminals the security manager wants to reserve for security operations
Security Considerations 12–3