Illegal system access through the use of a known passwordis most often caused by the owner's disclosing the password. Itis vital that you do not reveal your password to anyone.
You can best protect your password by observing the followingrules:
Select reasonably long passwords thatcannot be guessed easily. Avoid using words in your native languagethat appear in a dictionary. Consider including numbers in yourpassword. Alternatively, let the system generate passwords for youautomatically.
Never write down your password.
Never give your password to another user. If anotheruser obtains your password, change it immediately.
Do not include your password in any file, includingthe body of an electronic mail message. (If anyone else revealsa password to you, delete the information promptly.) The character strings that appear with your actual passwordcan make it easy for someone to find your password in a file. Forexample, a quotation mark followed by two colons ("::) always comesafter a user name and password in an access control string. Someoneattempting to break into the system could obtain your password bysearching inadequately protected files for this string. Anotherway in which you might reveal your password is by using the word "password" ina text file, for example:
My password is GOBBLEDYGOOK.
If you submit a batch job on cards, do not leaveyour password card where others may be able to obtain your passwordfrom it.
Do not use the same password for accounts on differentsystems. An unauthorized user can try one password on every systemwhere you have an account. The account that first reveals the passwordmight hold little information of interest, but another account mightyield more information or more privileges, ultimately leading toa far greater security breach.
Before you log in to a terminal that is alreadyon, invoke the secure terminal server feature (if enabled) by pressingthe Break key. The secure server ensures that the OpenVMS loginprogram is the only program able to receive your login and therebyeliminates the possibility of revealing a password to a password grabberprogram. This is particularly relevant when you are working in apublic terminal room. A password grabber program is a specialprogram that displays an empty video screen, a screen that appearsto show the system has just been initialized after a crash, or ascreen that shows a nonexistent logout. When you attempt to login, the program runs through the normal login sequence so you thinkyou are entering your user name and password in a normal manner.However, once the program receives this key information and passesit on to the perpetrator, it displays a login failure. You mightthink you mistyped your password and be unaware that you have justrevealed it to someone else.
Unless you share your password, change it every3 to 6 months. HP warns against sharing passwords. If you do shareyour password, change it every month.
Change your password immediately if you have anyreason to suspect it might have been discovered. Report such incidentsto your security administrator.
Do not leave your terminal unattended after youlog in. You might think the system failed and came back up again,when actually someone has loaded a password-stealing program. Evena terminal that displays an apparently valid logout message mightnot reflect a normally logged out process.
Routinely check your last login messages. A password-stealingprogram cannot actually increase the login failure count, althoughit looks like a login failure to you. Be alert for login failurecounts that do not appear after you log in incorrectly or that areone less than the number you experienced. If you observe this orany other abnormal failure during a login, change your passwordimmediately, and notify your security administrator.
HP OpenVMS Guide to System Security
Security for the User
