Technical data

ManualsBrandsCompaq ManualsPrinterLA36

461

462

463

464

465

466

467

468

469

470

Security Considerations

12.2 Managing Passwords

Implementing system passwords is a two-stage operation involving the DCL

commands SET TERMINAL and SET PASSWORD. First, you must decide which

terminals require system passwords. Then, for each terminal, you enter the DCL

command SET TERMINAL/SYSPASSWORD/PERMANENT. To enable system

passwords for all terminals, set the appropriate bit in the system parameter

TTY$DEFCHAR2.

12.2.3 Primary and Secondary Passwords

The use of dual passwords is cumbersome and mainly needed at sites with

high-level security concerns. The effectiveness of a secondary passwords depends

entirely on the trustworthiness of the supervisor who supplies it. A supervisor

can easily give out the password or worse yet, change it to a null string.

The main advantage of a second password is that it prevents accounts from being

accessed through DECnet for OpenVMS using simple access control.

Another advantage of a second password is that it can serve as a detection tool

when a site has unexplained break-ins after the password has been changed and

the use of the password generator has been enforced. Select problem accounts,

and make them a temporary target of this restriction. If the problem goes away

when you institute personal veriﬁcation through the secondary password, you

know you have a personnel problem. Most likely, the authorized user is revealing

the password for the account to one or more other users who are abusing the

account. Refer to the OpenVMS Guide to System Security for an explanation of

how to add secondary passwords.

12.2.4 Enforcing Minimum Password Standards

Security managers can use AUTHORIZE to impose minimum password

standards for individual users. Speciﬁcally, qualiﬁers and login ﬂags provided by

AUTHORIZE control the minimum password length, how soon passwords expire,

and whether the user is forced to change passwords at expiration.

Password Expiration

With the AUTHORIZE qualiﬁer /PWDLIFETIME, you can establish the

maximum length of time that can elapse between password changes before

the user will be forced to change the password or lose access to the account.

The use of a password lifetime forces the user to change the password regularly.

The lifetime can be different for different users. Users who have access to critical

ﬁles generally should have the shortest password lifetimes.

Forcing Expired Password Changes

By default, users are forced to change expired passwords when logging in.

Users whose passwords have expired are prompted for new passwords at

the /PWDLIFETIME qualiﬁer.

Minimum Password Length

With the AUTHORIZE qualiﬁer /PWDMINIMUM, you can direct that all

password choices must be a minimum number of characters in length. Users

can still specify passwords up to the maximum length of 32 characters.

Requiring the Password Generator

The /FLAGS=GENPWD qualiﬁer in AUTHORIZE allows you to force the use of

the automatic password generator when a user changes a password. At some

sites, all accounts are created with this qualiﬁer. At other sites, the security

manager can be more selective.

12–4 Security Considerations