> 1. Passwords much be set to 8 characters or more.
This is set per user in the UAF with MODIFY/PWDMINIMUM=value
the default default is 6. Change with
UAF> MODIFY DEFAULT/PRDMINIMUM=8
>2. Password complexity must be enabled.
>3. Passwords must include an alpha, a numeric, and a punctuation character.
You'll need to enable mixed passwords for each account and/or the default:
UAF> MODIFY user/FLAGS=PWDMIX
UAF> MODIFY DEFAULT/FLAGS=PWDMIX
To enable complexity rules, you'll need a VMS$PASSWORD_POLICY module. A Google search for VMS$PASSWORD_POLICY should find example code, which include instructions. I've also attached a MACRO32 version. You may need to modify the code to implement the policy you require.
> 4. Password re set must not allow one of the last 6 passwords used.
Set system wide with the system executive logical name SYS$PASSWORD_HISTORY_LIMIT. Default if not defined is 60. You can also defined SYS$PASSWORD_HISTORY_LIFETIME, which is the minimum
time to password reuse. Default is 365 days. I'd go with the stricter OpenVMS defaults.
> 5. Lock out must be in place after 3 failed log in attempts.
This is probably not a good idea. You can do it by setting SYSGEN parameters LGI_BRK_LIM to 3 and LGI_BRK_DISUSER to 1. However, this opens you up to DOS attacks - it's trivially easy to lock out one of your users, and 3 retries isn't sufficient for normal fumble fingers. Personally, I'd increase the limit from the default of 5 to about 20, and increase LGI_HID_TIM to a few hours. That will be more than sufficient to protect againt brute force attacks, give you plenty of warning from audit logs, but still give folk plenty of room for mistyping.
A crucible of informative mistakes
