|
|
|
|
This section describes basic elements of the standard OpenVMS password policy and how to manage them. For information about how to manage extensions to the standard password policy (also known as external authentication ), refer to the chapter "Managing System Access" in the HP OpenVMS Guide to System Security.
Initial Passwords
When you open an account for a new user with the Authorize
utility, you must give the user a user name and an initial password.
When you assign temporary initial passwords, observe all guidelines
recommended in
Guidelines for Protecting Passwords. You should consider using the automatic password generator.
Avoid any obvious pattern when assigning passwords.
Using the Automatic Password Generator
To use the automatic password generator while using the Authorize utility to open an account, add the /GENERATE_PASSWORD qualifier to either the ADD or the COPY command. The system responds by offering you a list of automatically generated password choices. Select one of these passwords, and continue setting up the account.
Using the System Dictionary and the Password History
List
The OpenVMS operating system automatically compares new passwords with a system dictionary to ensure that a password is not a native language word. It also maintains a password history list of a user's last 60 passwords. The operating system compares each new password with entries in the password history list to ensure that an old password is not reused.
The system dictionary is located in SYS$LIBRARY. You can enable or disable the dictionary search by specifying the DISPWDDIC or NODISPWDDIC option with the /FLAGS qualifier in AUTHORIZE. The password history list is located in SYS$SYSTEM. To enable or disable the history search, specify the DISPWDHIS or NODISPWDHIS option to the /FLAGS qualifier.
Adding to the System Password Dictionary
You can modify the system password dictionary to include words of significance to your site. The following procedure allows you to add words to the system dictionary. The procedure also allows you to retain a file of the passwords that you consider unacceptable.
$
CREATE LOCAL_PASSWORD_DICTIONARY.DATA
somefamous
localheroes
<Ctrl/Z>
$
SET PROCESS/PRIVILEGE=SYSPRV
$
CONVERT/MERGE/PAD LOCAL_PASSWORD_DICTIONARY.DATA -
_$
SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
When you add a new user to the UAF, you might want to define that user's password as having expired previously using the AUTHORIZE qualifier /PWDEXPIRED. This forces the user to change the initial password when first logging in.
Preexpired passwords are conspicuous in the UAF record listing. The entry for the date of the last password change carries the following notation:(pre-expired)
By default, the OpenVMS operating system forces new users to change their passwords the first time they log in. Encourage your site to use a training program for its users that includes information about changing passwords.
System Passwords
System passwords control access to terminals that might be
targets for unauthorized use, as follows:
Implementing system passwords is a two-stage operation involving the DCL commands SET TERMINAL and SET PASSWORD. First, you must decide which terminals require system passwords. Then, for each terminal, you enter the DCL command SET TERMINAL/SYSPASSWORD/PERMANENT. To enable system passwords for all terminals, set the appropriate bit in the system parameter TTY$DEFCHAR2.
Primary and Secondary Passwords
The use of dual passwords is cumbersome and mainly needed
at sites with high-level security concerns. The effectiveness of
a secondary passwords depends entirely on the trustworthiness of
the supervisor who supplies it. A supervisor can easily give out
the password or worse yet, change it to a null string.
The main advantage of a second password is that it prevents accounts from being accessed through DECnet for OpenVMS using simple access control.
Another advantage of a second password is that it can serve as a detection tool when a site has unexplained break-ins after the password has been changed and the use of the password generator has been enforced. Select problem accounts, and make them a temporary target of this restriction. If the problem goes away when you institute personal verification through the secondary password, you know you have a personnel problem. Most likely, the authorized user is revealing the password for the account to one or more other users who are abusing the account. Refer to the HP OpenVMS Guide to System Security for an explanation of how to add secondary passwords.
Enforcing Minimum Password Standards
Security managers can use AUTHORIZE to impose minimum password
standards for individual users. Specifically, qualifiers and login
flags provided by AUTHORIZE control the minimum password length,
how soon passwords expire, and whether the user is forced to change
passwords at expiration.
With the AUTHORIZE qualifier /PWDLIFETIME, you can establish the maximum length of time that can elapse between password changes before the user will be forced to change the password or lose access to the account.
The use of a password lifetime forces the user to change the password regularly. The lifetime can be different for different users. Users who have access to critical files generally should have the shortest password lifetimes.
Forcing Expired Password Changes
By default, users are forced to change expired passwords when logging in. Users whose passwords have expired are prompted for new passwords at login. A password is valid for 90 days unless a site modifies the value with the /PWDLIFETIME qualifier.
With the AUTHORIZE qualifier /PWDMINIMUM, you can direct that all password choices must be a minimum number of characters in length. Users can still specify passwords up to the maximum length of 32 characters.
Requiring the Password Generator
The /FLAGS=GENPWD qualifier in AUTHORIZE allows you to force the use of the automatic password generator when a user changes a password. At some sites, all accounts are created with this qualifier. At other sites, the security manager can be more selective.
Guidelines for Protecting Passwords
Observe the following guidelines to protect passwords:
The following actions are not strictly for password protection, but they reduce the potential of password detection or limit the extent of the damage if passwords are discovered or bypassed:
Password History
The password history database maintains a history of previous
passwords associated with each user account. By default, the system
retains these records for one year. Password history records that
are older than the system password history lifetime are allowed
as valid password choices. When a user account is deleted, the system
removes the associated password history records from the history
database.
|
|