Changing passwords on a regular basis promotes system security.
To change your password, enter the DCL command SET PASSWORD.
The system manager can allow you to select a password on your
own or can require that you use the automatic password generator
when you change your password. If you select your own password,
note that the password must follow system restrictions on length
and acceptability (see
Observing System Restrictions on Passwords). For example, if your password choice is too short,
the system displays the following message:
%SET-E-INVPWDLEN, invalid password length - password not changed
There is no restriction on how many times you can change your
password in a given period of time.
Selecting Your Own Password If your system manager does not require use of the automatic
password generator, the SET PASSWORD command prompts you to enter
the new password. It then prompts you to reenter the new password
for verification, as follows:
$ SET PASSWORD
ReturnNew password:Verification:
If you fail to enter the same password twice, the password
is not changed. If you succeed in these two steps, there is no notification.
The command changes your password and returns you to the DCL prompt.
Even though your security administrator may not require the
password generator, you are strongly encouraged to use it to promote
the security of your system.
Using Generated Passwords describes how to use generated passwords.
Using Generated Passwords If your system security administrator decides that you must
let the system generate the password for you automatically, the
system provides you with a list of password choices when you enter
the DCL command SET PASSWORD. (When the system does not require
generated passwords, add the /GENERATE qualifier to SET PASSWORD
for a list of password choices.) The character sequence resembles
native language words to make it easy to remember, but it is unusual
enough to be difficult for outsiders to guess. Because system-generated passwords
vary in length, they become even more difficult to guess.
The password generator uses basic syllabic rules to
generate words but has no real knowledge of any language. As a result,
it can unintentionally produce words that are offensive.
In the following OpenVMS VAX example, the system automatically
generates a list of passwords made up of random sequences of characters.
The minimum password length for the user in the following example
has been set to 8 in the UAF record.
$SET PASSWORDOld password:
Return[1]
cigtawdpau cig-tawd-pau[2]adehecun a-de-he-cunceebatorai cee-ba-to-raiarhoajabad ar-hoa-ja-badChoose a password from this list, or press Return to get a new list[3]
New password:
Return[4]
Verification:
Return[5]
$ [6]
The preceding example illustrates the following:
The user correctly specifies the old
password and presses the Return key.
The system responds with a list of five password
choices ranging in length from 8 to 10 characters. There are representations
of the same word divided into syllables to the right of each password
choice. Usually the password that is easiest to pronounce is easiest
to remember and, therefore, the best choice.
The system informs the user that it is possible
to request a new list by pressing the Return key in response to
the prompt for a new password.
The user enters one of the first five possible passwords
and presses the Return key.
The system recognizes that this password is one
provided by the automatic password generator and responds with the
verification prompt. The user enters the new password again and
presses Return.
The system changes the password and responds with
the DCL prompt.
One disadvantage of automatic password generation is the possibility
that you might not remember your password choice. However, if you
dislike all the password choices in your list or think none are
easy to remember, you can always request another list.
A more serious drawback of automatic password generation is
the potential disclosure of password choices from the display the
command produces. To protect your account, change your password
in private. If you perform the change on a video terminal, clear
the display of password choices from the screen after the command
finishes. If you perform the change in a DECwindows environment,
use the Clear Lines Off Top option from the Commands menu to remove
the passwords from the screen recall buffer. If you
use a printing terminal, properly dispose of all hardcopy output.
If you later realize that you failed to protect your password
in these ways, change your password immediately. Depending on site
policy or your own judgment concerning the length of time your account
was exposed, you might decide to notify your security administrator
that a security breach could have occurred through your account.
Changing a Secondary Password To change a secondary password, use the DCL command SET PASSWORD/SECONDARY.
You are prompted to specify the old secondary password and the new
secondary password, just as in the procedure for changing the primary
password. To remove a secondary password, press the Return key when
you are prompted for a new password and verification.
You can change primary and secondary passwords independently,
but both are subject to the same change frequency because they share
the same password lifetime. See
Password and Account Expiration Times for information on password lifetimes.
Changing Your Password As You Log In Even if your current password has not yet expired, you can
change your password when you log in to the system by including
the /NEW_PASSWORD qualifier with your user name, as follows:
WILLOW - A member of the Forest ClusterUsername:RWOODS/NEW_PASSWORDPassword:Welcome to OpenVMS on node WILLOW Last interactive login on Tuesday, 7-NOV-2001 10:20 Last non-interactive login on Monday, 6-NOV-2001 14:20Your password has expired; you must set a new password to log inNew password:Verification:
Entering the /NEW_PASSWORD qualifier after your user name
forces you to set a new password immediately after login.
HP OpenVMS Guide to System Security
Security for the User
