HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 3 Using the System Responsibly

Choosing a Password for Your Account

To choose a secure password, use the following guidelines:

  • Include both numbers and letters in the password. Although a 6-character password that contains only letters is secure, a 6-character password with both letters and numbers is much more secure.

  • Choose passwords that contain 6 to 10 characters. Adequate length makes passwords more secure. You can choose a password as long as 32 characters.

  • Do not select passwords from a dictionary or from your native language.

  • Avoid choosing words readily associated with your computer site or yourself, such as the name of a product or the model of your car.

  • Choose new passwords each time. Do not reuse old ones.

Your security administrator may set up additional restrictions, for example, not allowing passwords with fewer than 10 characters.

“Secure and Insecure Passwords” provides examples of secure as opposed to risky passwords.

Table 3-1 Secure and Insecure Passwords

Secure Passwords Insecure Passwords

Nonsense syllables: aladaskgam eojfuvcue joxtyois

Words with a strong personal association: your name the name of a loved one the name of your pet the name of your town the name of your automobile

A mixed string: 492_weid $924spa zu_$rags

A work-related term: your company name a special project your work group name

 

Obtaining Your Initial Password

Typically, when you learn that an account has been created for you on the system, you are told whether a user password is required. If user passwords are in effect, you are told to use a specific password for your first login. This password has been placed in the system user authorization file (SYSUAF.DAT) with other information about how your account can be used.

It is inadvisable to have passwords that can be easily guessed. Ask the person creating an account for you to specify a password that is difficult to guess. If you have no control over the password you are given, you might be given a password that is the same as your first name. If so, change it immediately after you log in. (The use of first or last names as passwords is a practice so well known that it is undesirable from a security standpoint.)

Log in to your account soon after it is created to change your password. If there is a time lapse from the moment when your account is created until your first login, other users might log in to your account successfully, gaining a chance to damage the system. Similarly, if you neglect to change the password or are unable to do so, the system remains vulnerable. Possible damage depends largely on what other security measures are in effect.

At the time your account is created, you should also be told a minimum length for your password and whether you can choose your new password or let the system generate the password for you.

Observing System Restrictions on Passwords

The system screens passwords for acceptability, as follows:

  • It automatically compares new passwords to a system dictionary. This helps to ensure that a password is not a native language word.

  • It maintains a history list of your old passwords and compares each new password to this list to be sure that you do not reuse an old password.

  • It enforces a minimum password length, which the system manager specifies in your UAF record.