Security Management Guide (G06.24+, H06.03+)
Concerns for the System Administration Team
Security Management Guide—522283-008
7-9
Password Change Periods
The following command displays the user authentication record for CLERK.ROBIN:
=INFO USER CLERK.ROBIN, GENERAL
GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS
CLERK.ROBIN 102,11 250,1 18JUN94, 14:35 * NONE * THAWED
UID = 26123
USER-EXPIRES = * NONE *
PASSWORD-EXPIRES = * NONE *
PASSWORD-MAY-CHANGE = * NONE *
PASSWORD-MUST-CHANGE EVERY = * NONE *
PASSWORD-EXPIRY-GRACE = * NONE *
LAST-LOGON = * NONE *
LAST-UNSUCCESSFUL-ATTEMPT = * NONE *
LAST-MODIFIED = * NONE *
FROZEN/THAWED = THAWED
STATIC FAILED LOGON COUNT = 0
GUARDIAN DEFAULT SECURITY = OOOO
GUARDIAN DEFAULT VOLUME = $SYSTEM.NOSUBVOL
Password Change Periods
With the PASSWORD-MUST-CHANGE attribute in each Safeguard user authentication
record, you can force a user’s password to expire after a specified period of time. This
Safeguard feature motivates people to change their passwords before the expiration
date. After a password is changed, a new expiration date is automatically set, and the
new password remains valid until that date.
However, requiring that passwords change too often can be counterproductive
because:
•
A clever user might set up a mechanism to change the password through a
predictable series (paswrd1, paswrd2, ...) or even to change the password to itself.
(You can use proper Safeguard settings to discourage this behavior.)
•
A user might change a password correctly but write it down in an obvious place to
remember it.
Your security policy should guide you in determining the proper period for password
expiration.
Password Expiration Warning
If the Safeguard software is running, a user is given advance warning of password
expiration during the logon procedure. This warning occurs during the period specified
by the PASSWORD-MAY-CHANGE configuration attribute. For more information, see
the Safeguard Administrator’s Manual.