Changing passwords on a regular basis promotes
system security. To change your password, enter the DCL command SET
The system manager can allow you to select a password
on your own or can require that you use the automatic password generator
when you change your password. If you select your own password, note
that the password must follow system restrictions on length and acceptability
(see “Observing System Restrictions on Passwords”). For example, if your password choice is too short, the system
displays the following message:
%SET-E-INVPWDLEN, invalid password length - password not changed
“Choosing a Password for Your Account” provides guidelines and examples
for specifying secure passwords.
There is no restriction on how many times you
can change your password in a given period of time.
Selecting Your Own Password
If your system manager does not require use of
the automatic password generator, the SET PASSWORD command prompts
you to enter the new password. It then prompts you to reenter the
new password for verification, as follows:
If you fail to enter the same password twice,
the password is not changed. If you succeed in these two steps, there
is no notification. The command changes your password and returns
you to the DCL prompt.
Even though your security administrator may not
require the password generator, you are strongly encouraged to use
it to promote the security of your system. “Using Generated Passwords” describes
how to use generated passwords.
Using Generated Passwords
If your system security administrator decides
that you must let the system generate the password for you automatically,
the system provides you with a list of password choices when you enter
the DCL command SET PASSWORD. (When the system does not require generated
passwords, add the /GENERATE qualifier to SET PASSWORD for a list
of password choices.) The character sequence resembles native language
words to make it easy to remember, but it is unusual enough to be
difficult for outsiders to guess. Because system-generated passwords
vary in length, they become even more difficult to guess.
|NOTE: The password generator uses basic syllabic rules
to generate words but has no real knowledge of any language. As a
result, it can unintentionally produce words that are offensive.|
In the following OpenVMS VAX example, the system
automatically generates a list of passwords made up of random sequences
of characters. The minimum password length for the user in the following
example has been set to 8 in the UAF record.
$ SET PASSWORD
cigtawdpau cig-tawd-pau 
Choose a password from this list, or press Return to get a new list 
The preceding example illustrates the following:
The user correctly specifies
the old password and presses the Return key.
The system responds with
a list of five password choices ranging in length from 8 to 10 characters.
There are representations of the same word divided into syllables
to the right of each password choice. Usually the password that is
easiest to pronounce is easiest to remember and, therefore, the best
The system informs the
user that it is possible to request a new list by pressing the Return
key in response to the prompt for a new password.
The user enters one of
the first five possible passwords and presses the Return key.
The system recognizes
that this password is one provided by the automatic password generator
and responds with the verification prompt. The user enters the new
password again and presses Return.
The system changes the
password and responds with the DCL prompt.
One disadvantage of automatic password generation
is the possibility that you might not remember your password choice.
However, if you dislike all the password choices in your list or think
none are easy to remember, you can always request another list.
A more serious drawback of automatic password
generation is the potential disclosure of password choices from the
display the command produces. To protect your account, change your
password in private. If you perform the change on a video terminal,
clear the display of password choices from the screen after the command
finishes. If you perform the change in a DECwindows environment, use
the Clear Lines Off Top option from the Commands menu to remove the
passwords from the screen recall buffer. If you
use a printing terminal, properly dispose of all hardcopy output.
If you later realize that you failed to protect
your password in these ways, change your password immediately. Depending
on site policy or your own judgment concerning the length of time
your account was exposed, you might decide to notify your security
administrator that a security breach could have occurred through your
Changing a Secondary Password
To change a secondary password, use the DCL command
SET PASSWORD/SECONDARY. You are prompted to specify the old secondary
password and the new secondary password, just as in the procedure
for changing the primary password. To remove a secondary password,
press the Return key when you are prompted for a new password and
You can change primary and secondary passwords
independently, but both are subject to the same change frequency because
they share the same password lifetime. See “Password and Account Expiration Times” for information
on password lifetimes.
Changing Your Password As You Log In
Even if your current password has not yet expired,
you can change your password when you log in to the system by including
the /NEW_PASSWORD qualifier with your user name, as follows:
WILLOW - A member of the Forest Cluster
Welcome to OpenVMS on node WILLOW
Last interactive login on Tuesday, 4-NOV-2008 10:20
Last non-interactive login on Monday, 3-NOV-2008 14:20
Your password has expired; you must set a new password to log in
Entering the /NEW_PASSWORD qualifier after your
user name forces you to set a new password immediately after login.