How OpenVMS Protects Passwords

OpenVMS takes a number of steps to minimize the risks associated with stolen or guessed passwords. It is the responsibility of every individual to protect his or her password, but OpenVMS attempts to help that process by preventing easily guessed passwords.

Most modern systems, including OpenVMS, store passwords in an encrypted form. They cannot be decrypted. When a user enters a password, the system encrypts it and compares it with the encrypted password stored in the user authorization file. If the encrypted values match, the password is accepted.

Many attacks on system passwords rely on stealing a copy of the user authorization file and then using another computer to encrypt many possible passwords and look for a match with any user account. Note that this implies that an attacker already has access to at least one account in order to steal a copy of the authorization file.

The following are some of the features of OpenVMS that attempt to prevent successful attacks:

Password lifetime. Passwords can be set to expire after a certain amount of time, at the end of which the password must be changed. If a password is stolen, it will be valid only for a finite time. At login, OpenVMS will notify you if your password will expire in the next few days. At your next interactive login after expiration, a password change will be required.

Password dictionary. OpenVMS maintains a dictionary of common words that it will not allow to be used as passwords. Some password attacks check against most words in a given language. The password dictionary attempts to make this type of attack impractical.

Minimum password length. It is relatively easy for an attacker to try every possible short password. Longer passwords force attackers to try many more combinations, making the attack impractical, except on very fast computer systems to which relatively few attackers have easy access. This step is made stronger by combining it with the rules of the system password dictionary. Typical minimum password lengths are currently six or eight characters. Please note that this mainly refers to attacks on stolen authorization files; it is not possible to try a large number of passwords rapidly against a live OpenVMS system.

Password histories. OpenVMS maintains a list of passwords previously used by a given account and prevents anyone from reusing a previous password. This feature is in place because reuse of previous passwords could effectively defeat the password lifetime feature.

Break-in detection and evasion. While some attacks are carried out on a stolen copy of the User Authorization File, other attacks occur directly on the system under attack. An attacker may try common account names (e.g., SYSTEM or GUEST) or try to determine the username of a legitimate user.

The attacker may then try to log in using the selected account with various likely passwords. Names of the user's family members, pets, make of car, favorite sport, and the like may be tried. Crackers know that many people use such poor passwords because they are easier to remember.

OpenVMS includes a mechanism to combat such password guessing. First, it tries never to give the attacker any clues as to how close his guess was. When an invalid username is entered or a valid username is entered with an incorrect password, OpenVMS responds with the same message, "User Authorization Failure." This prevents an attacker from learning whether the username was valid.

Each time an incorrect username or password is entered, OpenVMS makes note of it. After a certain number of unsuccessful attempts occur within a short time, typically three to five such attempts, break-in evasion is triggered. While break-in evasion is in effect, even the correct username and password will be rejected, with the same "User Authorization Failure" message.

Break-in evasion remains in effect for a random amount of time. This prevents attackers who are familiar with the mechanism from knowing exactly how long they must wait between attempts. Continued attempts during the evasion period result in it's being extended for an additional amount of time.

An attacker unfamiliar with the mechanism will never realize whether he stumbled on the right password, and even knowledgeable attackers will not know exactly how many attempts it takes to trigger break-in evasion or how long it will last.

Finally, OpenVMS records the physical location or network address of the attacker while sending security alarms to the system operators.