Illegal system access through the use of a known password
is most often caused by the owner's disclosing the password. It
is vital that you do not reveal your password to anyone.
You can best protect your password by observing the following
rules:
Select reasonably long passwords that
cannot be guessed easily. Avoid using words in your native language
that appear in a dictionary. Consider including numbers in your
password. Alternatively, let the system generate passwords for you
automatically.
Never write down your password.
Never give your password to another user. If another
user obtains your password, change it immediately.
Do not include your password in any file, including
the body of an electronic mail message. (If anyone else reveals
a password to you, delete the information promptly.) The character strings that appear with your actual password
can make it easy for someone to find your password in a file. For
example, a quotation mark followed by two colons ("::) always comes
after a user name and password in an access control string. Someone
attempting to break into the system could obtain your password by
searching inadequately protected files for this string. Another
way in which you might reveal your password is by using the word "password" in
a text file, for example:
My password is GOBBLEDYGOOK.
If you submit a batch job on cards, do not leave
your password card where others may be able to obtain your password
from it.
Do not use the same password for accounts on different
systems. An unauthorized user can try one password on every system
where you have an account. The account that first reveals the password
might hold little information of interest, but another account might
yield more information or more privileges, ultimately leading to
a far greater security breach.
Before you log in to a terminal that is already
on, invoke the secure terminal server feature (if enabled) by pressing
the Break key. The secure server ensures that the OpenVMS login
program is the only program able to receive your login and thereby
eliminates the possibility of revealing a password to a password grabber
program. This is particularly relevant when you are working in a
public terminal room. A password grabber program is a special
program that displays an empty video screen, a screen that appears
to show the system has just been initialized after a crash, or a
screen that shows a nonexistent logout. When you attempt to log
in, the program runs through the normal login sequence so you think
you are entering your user name and password in a normal manner.
However, once the program receives this key information and passes
it on to the perpetrator, it displays a login failure. You might
think you mistyped your password and be unaware that you have just
revealed it to someone else.
Unless you share your password, change it every
3 to 6 months. HP warns against sharing passwords. If you do share
your password, change it every month.
Change your password immediately if you have any
reason to suspect it might have been discovered. Report such incidents
to your security administrator.
Do not leave your terminal unattended after you
log in. You might think the system failed and came back up again,
when actually someone has loaded a password-stealing program. Even
a terminal that displays an apparently valid logout message might
not reflect a normally logged out process.
Routinely check your last login messages. A password-stealing
program cannot actually increase the login failure count, although
it looks like a login failure to you. Be alert for login failure
counts that do not appear after you log in incorrectly or that are
one less than the number you experienced. If you observe this or
any other abnormal failure during a login, change your password
immediately, and notify your security administrator.
HP OpenVMS Guide to System Security
Security for the User
