HP OpenVMS DCL Dictionary
Changes a password or system password. Also, can establish a secondary
password or system password, or remove a secondary password.
See the qualifier descriptions for restrictions.
All user accounts on a system have passwords. A password is required
for logging in to the system.
To maintain secrecy, users should change their passwords from time to
time. The SET PASSWORD command offers a means of making this change.
A system manager can control which users have the right to change their
passwords, and can establish a minimum password length and the maximum
period of time that a password can remain unchanged. The OpenVMS system
automatically screens passwords against a dictionary and a history list
to prevent the use of native language words or the reuse of old
passwords. A system manager can add words readily associated with the
site to the dictionary, thus disallowing them as passwords.
Systems can also have passwords (not to be confused with the password
associated with the SYSTEM account). The system manager uses the SET
PASSWORD/SYSTEM command to change the system password from time to time.
A user password can contain up to 32 alphanumeric and special
characters. Unless your system manager has set the PWDMIX flag in your
authorization account record, the only special characters permitted are
the dollar sign ($) and underscore (_). Without the PWDMIX
authorization, all lowercase characters are converted to uppercase
before the password is encrypted. For example, "eagle" is the
same as "EAGLE."
If you have PWDMIX authorization, you can specify uppercase and
lowercase alphabetic characters, and you can use any special characters
in the printable character set. However, avoid using characters that
have special significance for layered products that accept passwords.
For example, a double quotation mark (") would be unacceptable in a
password in a DECnet access control string.
Blank spaces are permissible within a password, but they are not
considered part of the password, and OpenVMS ignores them. For example,
"MY PASSWORD" is an acceptable password, but the system only records
"MYPASSWORD." This means that "MYPA SSWORD" is also a valid password
for the account in question.
A password that contains blank spaces will fail in contexts where
spaces have meaning. For example, the syntax of an access control
string assumes there is one and only one space, preceding the password,
$ DIR JULY04"JEFFERSON PRESIDENT"::TEST.SDML
If you enter the following command, it will fail:
$ DIR JULY04"JEFFERSON PRE SIDENT"::TEST.SDML
Use the following procedure to change your password:
- Enter the SET PASSWORD command.
- The system prompts you for your current password. Enter your
- The system prompts you for a new password. Enter a new password, or
press Return to disable your current password.
- The system prompts you to verify the password. Enter the new
password to verify. (If the two entries of the new password do not
match, the password does not change.)
The following guidelines are recommended to minimize the chances of
passwords being discovered by trial-and-error or by exhaustive search:
- Make passwords at least 6 characters long.
- Avoid names or words that are readily associated with you.
- Change your passwords at least once every month.
To ensure that the previous guidelines are met, use the
/GENERATE[=value] qualifier. This qualifier generates random passwords
of up to 12 characters in length. The system manager can require
individual users to use generated passwords. For more information about
this, see the description of the Authorize utility's /GENERATE_PASSWORD
qualifier in the HP OpenVMS System Management Utilities Reference Manual.
If external authentication is enabled on your system and user accounts
in the SYSUAF file are marked for external authentication, those users
are authenticated using their external user IDs and passwords.
When a user has logged in using external authentication, the SET
PASSWORD command attempts to notify the external authentication service
of any password change. The following messages are displayed when this
%SET-I-SNDEXTAUTH, Sending password request to external authenticator
%SET-I-TRYPWDSYNCH, Attempting password synchronization
If the external authentication service cannot be contacted or the
password change is rejected, an error message is displayed to the user:
%SET-E-EXTPWDERR, Password could not be set by external authenticator
If the user was not externally authenticated but the EXTAUTH flag is
set (the user logged in with /LOCAL_PASSWORD), the new password is only
set locally in the SYSUAF file (normal OpenVMS password policy checks
do not apply in this case).
Generates a list of five random passwords. Press Return to repeat the
procedure until a suitable password appears.
Value is a number from 1 to 10 that restricts the length of
the password. For any value n, the SET PASSWORD command
generates passwords of from n to (n+2) characters
If no value is specified, SET PASSWORD uses a default value of 6, and
generates passwords from 6 to 8 characters long. Values greater than 10
are not accepted and produce errors.
If your system manager has established a minimum password length for
your account, SET PASSWORD/GENERATE=n compares that length with the
optional value specified with the /GENERATE qualifier, and uses the
larger of the two values. If you do not specify a value with the
/GENERATE qualifier, the account minimum length is used.
If the SET PASSWORD/GENERATE command fails to work properly, consult
your system manager to be sure that either the file
SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA exists, or the logical name
VMS$PASSWORD_DICTIONARY is correctly defined.
Creates or allows you to replace a secondary password. The procedure is
the same as setting your primary password.
Once a secondary password has been established, you will receive two
PASSWORD: prompts when logging in. The primary password should be typed
in first, followed by the secondary password.
Secondary passwords make it possible to set up an account that requires
two different people to access it. Each person knows one of the two
passwords, and both passwords are required to log in successfully.
To remove your secondary password, press Return when SET
PASSWORD/SECONDARY prompts you for a new password and verification.
After you do this, you will receive a single PASSWORD: prompt when
logging in. If you remove the secondary password, your system manager
must restore it.
The /SECONDARY and /SYSTEM qualifiers are incompatible.
Requires the SECURITY privilege.
Changes the system password rather than a user password.
A system password can be from 0 to 32 alphanumeric characters. The
dollar sign ($) and underscore (_) are also permitted. Uppercase and
lowercase characters are equivalent. All lowercase characters are
converted to uppercase before the password is encrypted.
A system password is valid only for the node it is set on. In an
OpenVMS Cluster, each node can have a different system password.
If a terminal line has the system password (SYSPWD) characteristic set,
no terminal prompts are sent to that terminal until the system password
The /SYSTEM and /SECONDARY qualifiers are incompatible. For more
information about the use of system passwords, see the HP OpenVMS Guide to System Security.
$ SET PASSWORD
Old password: HONCHO
New password: BIG_ENCHILADA
In response to the SET PASSWORD command, the system first prompts for
the old password and then for the new password. The system then prompts
again for the new password to verify it. The password changes if the
user is authorized to change this account's password, if the old
password is given correctly, and if the new password is given
identically twice; otherwise, an error message appears and the password
In a real session, neither the old password nor the new password and
its verification appear on the screen or paper.