Before discussing the account/password security mechanisms in detail, I will explain the major security components of an account. Before proceeding, you may want to refer to the basics of account creation discussed in Chapter 4.
The first defense of a secure system is to permit only authorized users to access it. The manager has several parameters to consider when defining his or her password policy. A few of these parameters were discussed in Chapter 4, but that list is incomplete. Here is a more extensive list. A reference to the controlling mechanism accompanies each item.
Number of characters in the password: AUTHORIZE /PWDMINIMUM
Number of passwords (0, 1, or 2) required at login time: AUTHORIZE /PASSWORD
How often the user must change his or her password: AUTHORIZE /PWDLIFETIME
The dictionary of unacceptable passwords: SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA
A mechanism to enforce a password policy (e.g., to insist that the last character of the password must be a number): POLICY_PLAINTEXT.EXE written by manager
Whether the system creates the user's password: AUTHORIZE/ FLAG=GENPWD
Whether to maintain a password history (history prevents the user from alternating passwords): AUTHORIZE/FLAG=DISPWDHIS
If a password history is maintained, how large should it be: DEFINE SYS$PASSWORD_HISTORY_LIMIT and DEFINE SYS$PASSWORD_HISTORY_LIFETIME
Various aspects of the login process (i.e., how to handle invalid logins): SYSMAN PARAMETER LGI_xxx
What hours the user may log in and by what means (e.g., dial-up, network, direct connection, batch): AUTHORIZE/PRIMEDAYS and AUTHORIZE/ACCESS
Whether the user operates from a controlled menu (captive account) or is free to use all DCL commands: AUTHORIZE/FLAGS=CAPTIVE
Whether a user is permitted to receive mail: AUTHORIZE/FLAGS=DISMAIL
Whether a user is permitted to log in: AUTHORIZE/FLAGS=DISUSER
The manager's account, SYSTEM, may be restricted to log in to specific terminals: SET TERMINAL/PERMANENT/SYSPASSWORD
System privileges granted to the account: AUTHORIZE/PRIVILEGE
Membership in a logical group or groups for the purpose of security access: AUTHORIZE ADD/IDENTIFIER