OpenVMS User's Manual
1.3.2 Changing Your Initial Password
Log in to your account soon after it is created to change your
password. If there is a time lapse from the moment your account is
created until your first login, other users might log in to your
account successfully, gaining a chance to damage the system. Similarly,
if you neglect to change the password or are unable to do so, the
system remains vulnerable. Possible damage depends largely on what
other security measures are in effect. See Section 1.7 for more
information on changing passwords.
1.3.3 Restrictions on Passwords
The system screens passwords for acceptability, as follows:
- It automatically compares new passwords to a system dictionary.
This helps to ensure that a password is not a native language word.
- It maintains a history list of your old passwords and compares each
new password to this list to be sure that you do not reuse a password.
- It enforces a minimum password length, which the system manager
specifies in your UAF record.
The system rejects any passwords that it finds in a system dictionary,
that you have used before, and that are shorter than the minimum
password length specified in your UAF.
1.3.4 Types of Passwords
There are several types of passwords recognized by the OpenVMS
- User password
Required for most accounts. After entering your user name, you are
prompted for a password. If the account requires both primary and
secondary passwords, two passwords must be entered.
- System password
Controls access to particular terminals and is required at the
discretion of the security administrator. System passwords are usually
necessary to control access to terminals that might be targets for
unauthorized use, such as dialup and public terminal lines.
- Primary password
The first of two passwords to be entered for an account requiring
both primary and secondary passwords.
- Secondary password
The second of two passwords to be entered for an account requiring
both primary and secondary passwords. The secondary password provides
an additional level of security on user accounts.
Typically, the primary user does not know the secondary password; a
supervisor or other key person must be present to supply it. For
certain applications, the supervisor may also decide to remain present
while the account is in use. Thus, secondary passwords facilitate
controlled logins and the actions taken after a login.
Secondary passwords can be time-consuming and inconvenient. They
are justified only at sites with maximum security requirements. An
example of an account that justifies dual passwords would be one that
bypasses normal access controls to permit emergency repair to a
1.3.5 Entering a System Password
Your security administrator will tell you if you must specify a system
password to log in to one or more of the terminals designated for your
use. Ask your security administrator for the current system password,
how often it changes, and how to obtain the new system password when it
To specify a system password, do the following:
Press the Enter key until the terminal responds with the recognition
character, which is commonly a bell.
Type the system password and press Enter. There is no prompt and the
system does not display the characters you type. If you fail to specify
the correct system password, the system does not notify you.
(Initially, you might think the system is malfunctioning unless you
know that a system password is required at that terminal.) If you do
not receive a response from the system, assume that you have entered
the wrong password and try again.
When you enter the correct system password, you receive the system
announcement message, if there is one, followed by the Username:
prompt. For example:
MAPLE - A member of the Forest Cluster
Unauthorized Access is Prohibited
1.3.6 Entering a Secondary Password
Your security administrator decides whether to require the use of
secondary passwords for your account at the time your account is
created. When your account requires primary and secondary passwords,
you need two passwords to log in. Minimum password length, which the
security administrator specifies in your UAF, applies to both passwords.
As with a single password login, the system allots a limited amount of
time for the entire login. If you do not enter a secondary password in
time, the login period expires.
The following example shows a login that requires primary and secondary
WILLOW - A member of the Forest Cluster
Welcome to OpenVMS on node WILLOW
Last interactive login on Friday, 11-DEC-2002 10:22
1.3.7 Password Requirements for Different Types of Accounts
Four types of user accounts are available on OpenVMS systems:
- Accounts secured with passwords that you or the security
administrator change periodically. This account type is the most common.
- Accounts that always require passwords but prohibit you from
changing the password. By locking the password (setting the LOCKPWD
flag in the UAF), the security administrator controls all changes made
to the password.
- Restricted accounts limit your use of the system
and sometimes require a password.
Open accounts require no password. When you log in to
an open account, the system does not prompt you for a password and you
do not need to enter one. You can begin entering commands immediately.
Because open accounts allow anyone to gain access to the system, they
are used only at sites with minimal security requirements.
1.4 Reading Informational Messages
When you log in from a terminal that is directly connected to a
computer, the OpenVMS system displays informational system messages, as
shown in the following example.
WILLOW - A member of the Forest Cluster (1)
Unlawful Access is Prohibited
You have the following disconnected process: (2)
Terminal Process name Image name
VT320: RWOODS (none)
Connect to above listed process [YES]: NO
Welcome to OpenVMS on node WILLOW (3)
Last interactive login on Wednesday, 11-DEC-2002 10:20 (4)
Last non-interactive login on Monday, 30-NOV-2002 17:39 (5)
2 failures since last successful login (6)
You have 1 new mail message. (7)
Note the following about the example:
The announcement message identifies the node (and, if relevant, the
OpenVMS Cluster name). It may also warn unauthorized users that
unlawful access is prohibited. The system manager or security
administrator can control both the appearance and the content of this
A disconnected process message informs you that your process was
disconnected at some time after your last successful login but is still
available. You have the option of reconnecting to the old process, in
the state it was in before you were disconnected.
displays the disconnected message only when the following conditions
- The terminal where the interruption occurred is set up as a virtual
- Your terminal is set up as one that can be disconnected.
- During a recent session, your connection to the central processing
unit (CPU) through that terminal was broken before you logged out.
In general, the security administrator should allow you to reconnect
because this ability poses no special problems for system security.
However, the security administrator can disable this function by
changing the setup on terminals and by disabling virtual terminals on
the system. (For information on setting up and reconnecting to virtual
terminals, refer to the OpenVMS System Manager's Manual.)
- A welcome message indicates the version number
of the OpenVMS operating system that is running and the name of the
node on which you are logged in. The system manager can choose a
different message or can suppress the message entirely.
- The last successful interactive login message
provides the time of the last completed login for a local, dialup, or
remote login. (The system does not count logins from a subprocess whose
parent was one of these types.)
- The last successful noninteractive login
message provides the time the last noninteractive (batch or network)
The number of login failure messages indicates the number of failed
attempts at login. (An incorrect password is the only source of login
failure that is counted.) To attract your attention, a bell rings after
the message appears.
- The new mail message indicates if you have any
unread mail messages.
1.4.1 Suppressing Messages
A security administrator can suppress the announcement and welcome
messages, which include node names and operating system identification.
Because login procedures differ according to operating system, it is
more difficult to log in without this information.
The last login success and failure messages are optional. Your security
administrator can enable or disable them as a group. Sites with
medium-level or high-level security needs display these messages
because they can indicate break-in attempts. In addition, by showing
that the system is monitoring logins, these messages can be a deterrent
to potential illegal users.
1.4.2 Successful Login Messages
Each time you log in, the system resets the values for the last
successful login and the number of login failures. If you access your
account interactively and do not specify an incorrect password in your
login attempts, you may not see the last successful noninteractive
login and login failure messages.
1.5 Types of Logins and Login Classes
Logins can be either interactive or noninteractive. When you log in
interactively, you enter a user name and a password. In noninteractive
logins, the system performs the identification and authentication for
you; you are not prompted for a user name and password.
In addition to interactive and noninteractive logins, the OpenVMS
operating system recognizes different classes of logins. How you log in
to the system determines the login class to which you
belong. Based on your login class, as well as the time of day or day of
the week, the system manager controls your access to the system.
1.5.1 Interactive Logins
Interactive logins include the following login classes:
You log in from a terminal connected directly to the central
processor or from a terminal server that communicates directly with the
You log in to a terminal that uses a modem and a telephone line to
make a connection to the computer system. Depending on the terminal
that your system uses, you might need to execute a few additional steps
initially. Your site security administrator can give you the necessary
You log in to a node over the network by entering the DCL command
SET HOST. For example, to access the remote node HUBBUB, you enter the
If you have access to an account on node HUBBUB, you can log in to
that account from your local node. You have access to the facilities on
node HUBBUB, but you remain physically connected to your local node.
For additional information on remote sessions, see Section 1.12.2.
1.5.2 Noninteractive Logins
Noninteractive logins include the following:
- Network Logins
The system performs a network login when you initiate a network
task on a remote node, such as displaying the contents of a directory
or copying files stored in a directory on another node. Both your
current system and the remote system must be nodes in the same network.
In the file specification, you identify the target node and provide an
access control string, which includes your user name and password for
the remote node.
For example, a network login occurs when user
GREG, who has an account on remote node PARIS, enters the following
$ DIRECTORY PARIS"GREG 8G4FR93A"::WORK2:[PUBLIC]*.*;*
This command displays a listing of all the files in the public
directory on disk WORK2. It also reveals the password 8G4FR93A. A more
secure way to perform the same task would be to use a proxy account on
node PARIS. For an example of a proxy login, see
- Batch Logins
The system performs a batch login when a batch job that you
submitted runs. Authorization to build the job is
determined at the time the job is submitted. When the system prepares
to execute the job, the job controller creates a noninteractive process
that logs in to your account. No password is required when the job logs
1.6 Login Failures
Logins can fail for any number of reasons. One of your passwords might
have changed or your account might have expired. You might be
attempting to log in over the network or from a modem but be
unauthorized to do so. The following table summarizes common reasons
for login failure:
No response from the terminal
A defective terminal, a terminal that requires a system password, or a
terminal that is not powered on.
No response from any terminal
The system is down.
No response from the terminal when you enter the system password
The system password changed.
"User authorization failure"
A typing error in your user name or password.
The account or password expired.
"Not authorized to log in from this source"
Your particular class of login (local, dialup, remote, interactive,
batch, or network) is prohibited.
"Not authorized to log in at this time"
You do not have access to log in during this hour or this day of the
"User authorization failure" (and no known user failure occurred)
An apparent break-in has been attempted at the terminal using your user
name, and the system has temporarily disabled all logins at that
terminal by your user name.
The following sections describe the reasons for login failure in more
1.6.1 Terminals That Require System Passwords
You cannot log in if the terminal you attempt to use requires a system
password and you are unaware of the requirement. All attempts at
logging in fail until you enter the system password.
If you know the system password, perform the steps described in
Section 1.3.5. If your attempts fail, it is possible that the system
password has been changed. If you do not know the system password and
you suspect that this is the problem, try to log in at another terminal
or request the new system password.
1.6.2 Login Class Restrictions
If you attempt a class of login that is prohibited in your UAF record,
your login will fail. For example, your security administrator can
restrict you from logging in over the network. If you attempt a network
login, you receive a message telling you that you are not authorized to
log in from this source.
Your security administrator can restrict your logins to include or
exclude any of the following classes: local, remote, dialup, batch, or
1.6.3 Shift Restrictions
Another cause of login difficulty is failure to observe your shift
restrictions. A system manager or security administrator can control
access to the system based on the time of day or the day of the week.
These restrictions are imposed on classes of logins. The security
administrator can apply the same work-time restrictions to all classes
of logins or choose to place different restrictions on different login
If you attempt a login during a time prohibited for that login class,
your login fails. The system notifies you that you are not authorized
to log in at this time.
1.6.4 Batch Jobs During Shift Restrictions
When shift restrictions apply to batch jobs, jobs you submit that are
scheduled to run outside your permitted work times are not run. The
system does not automatically resubmit such jobs during your next
available permitted work time. Similarly, if you have initiated any
kind of job and attempt to run it beyond your permitted time periods,
the job controller aborts the uncompleted job when the end of your
allocated work shift is reached. This job termination behavior applies
to all jobs.
1.6.5 Failures During Dialup Logins
Your security administrator can control the number of opportunities you
are given to enter a correct password during a dialup login before the
connection is automatically broken.
If your login fails and you have attempts remaining, press the Enter
key and try again. You can do this until you succeed or reach the
limit. If the connection is lost, you can redial the access line and
The typical reason for limiting the number of dialup login failures is
to discourage unauthorized users attempting to learn passwords by trial
and error. They already have the advantage of anonymity because of the
dialup line. Of course, limiting the number of tries for each dialup
does not necessarily stop this kind of break-in attempt. It only
requires the perpetrator to redial and start another login.
1.6.6 Break-In Evasion Procedures
If anyone has made a number of failed attempts to log in at the same
terminal with your user name, the system can respond as though a
break-in attempt is in progress. That is, the system
concludes that someone is attempting to gain illegal access to the
system by using your user name.
At the discretion of your security administrator, break-in evasion
measures can be in effect for all users of the system. The security
administrator controls how many password attempts are allowed over what
period of time. Once break-in evasion tactics are triggered, you cannot
log in to the terminal---even with your correct password---during a
defined interval. Your security administrator can tell you how long you
must wait before reattempting the login, or you can move to another
terminal to attempt a login.
If you suspect that break-in evasion is preventing your login and you
have not personally experienced any login failures, contact your
security administrator immediately. Together, you should attempt
another login and check the message that reveals the number of login
failures since the last login to confirm or deny your suspicion of
break-in attempts. (If your system does not normally display the login
message, your security administrator can use the Authorize utility
(AUTHORIZE) to examine the data in your UAF record.) With prompt
action, your security administrator can locate someone attempting
logins at another terminal.
1.7 Changing Passwords
Changing passwords on a regular basis promotes system security. To
change your password, enter the DCL command SET PASSWORD.
The system manager can allow you to select a password on your own or
can require that you use the automatic password generator when you
change your password. If you select your own password, note that the
password must follow system restrictions on length and acceptability
(see Section 1.3.3).
There is no restriction on how many times you can change your password
in a given period of time.
The following example shows a password choice that is too short:
$ SET PASSWORD
%SET-F-INVPWDLEN, password length must be between 12 and 32
characters; password not changed