Operating System - OpenVMS
1748093 Members
6150 Online
108758 Solutions
New Discussion юеВ

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

 
Victor Mendham
Regular Advisor

How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

Attempting to change an account pswd, but getting the following message.

YODA1>set pass
Old password:
New password:
Verification:
%SYSTEM-F-USEGENPWD, password history list is full; please use generated passwords

Is there a way to increase the size of the pwd history list or empty it out?
8 REPLIES 8
Victor Mendham
Regular Advisor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

If,

The (current) default of sixty passwords in the history can be modified
by the system-wide logical name SYS$PASSWORD_HISTORY_LIMIT, and the
(current) default password retention period of one year can be modified
by the logical name SYS$PASSWORD_HISTORY_LIFETIME.

so, If it is set to 4. does this mean, I can only keep 4 passwords in my password history file?

(LNM$SYSTEM_TABLE)

"SYS$PASSWORD_HISTORY_LIFETIME" = "365"
"SYS$PASSWORD_HISTORY_LIMIT" = "4"
Ian Miller.
Honored Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

See
http://h18000.www1.hp.com/support/asktima/operating_systems/00946D07-F37C8600-1C0069.html
either increase the limit
SYS$PASSWORD_HISTORY_LIMIT

Use authorize to reset the users password as The password history is not checked when the password is changed through AUTHORIZE.

Disable password history checking for this user
AF> MODIFY username /FLAGS=DISPWDHIS
____________________
Purely Personal Opinion
Victor Mendham
Regular Advisor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

Regarding the pswd limit of 4....

How does this work?

If I have the account set to require pswd changes every 30 days & 90 days ago my pswd was g00dbye & 60 days ago it was hell000 & 30 days ago it was thelittledog, does this mean I could no longer add another password now, or does it keep track of these pswd's & since they are different, allows a new one to be selected?

On the other hand if 90 days ago it was kittyapr2004 & 60 days ago it was kittymay2004 & 30 days ago it was kittyjun2004, is the system smart enough to say hey if you enter kittyjul2004, you hit the limit of 4 pswd's in the same format?
Art Wiens
Respected Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

From the Guide to System Security - page 142 in:
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.PDF

Once a user successfully creates a new password, the system enters the old password on the history list and updates the file. The password history list can hold a large number of words, but it is limited to 60 by default. If this number is exceeded, the user has to use generated passwords. A password remains on the password history list for 365 days (or the default set by SYS$PASSWORD_HISTORY_LIFETIME). Whenever a user account is deleted, the system removes all password records belonging to that account.

Art
Ian Miller.
Honored Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

sounds to me like
SYS$PASSWORD_HISTORY_LIFETIME / SYS$PASSWORD_HISTORY_LIMIT should be less than or equal to shortest PWDLIFE used on a system otherwise the reported problem will occur.
____________________
Purely Personal Opinion
Eberhard Wacker
Valued Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

If "SYS$PASSWORD_HISTORY_LIMIT" = "4" then you can change 4 times your password. At the fifth trial you get the message you├в ve described and must use a password out from a generated list.

VMS is not "smart enough" regarding checks of similar passwords. If you want to avoid that an user modifies his password e.g. from TESTTEST1 to TESTTEST2 then you have to write a program which makes the checks (really no trivial thing, activation via SYSGEN parameter LOAD_PWD_POLICY).

What you can do to avoid using a generated password in case that the history limit is reached:

1.) the password modification via MC AUTHORIZE is mentioned above, the DISPWDHIS flag too.

2.) remove the flag GENPWD from your account in the SYSUAF (!) and define the logical with a higher value, then you can modify your password without a ├в problem├в with set password.

3.) you are not willing or allowed to modify the settings of the password logicals: create an fdl file of the file VMS$PASSWORD_HISTORY.DATA , edit it and remove your account, convert it. No problem but not supported.

4.) you have no need or interest that any information within the existing password history file is kept: simply delete it, a new one will be created with the first use of the SETP0 image.

After the days specified by SYS$PASSWORD_HISTORY_LIFETIME you can reuse a former password again.
Ian: doing what you├в ve mentioned means disabling of the whole password history checking for all users. The easier way in this case is to modify the account(s) in the SYSUAF to have no pwdlifetime (or have the dispwdhis flag).

And if you do not want any security then simply set the account to nopassword
Hein van den Heuvel
Honored Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;



If I get annoyed by pqassword history, on a system where I am privileged, I use:

$OPEN/READ/WRITE/SHARE=WRITE P VMS$PASSWORD_HISTORY.DATA
$READ/KEY="my-user-name"/DELETE P record
$SHOW SYMBOL record ! Just in case I want to write it ck.
$CLOSE P


VMS Passwords are not stored as a CRC.
This os supposedly not reverse-engineerable.
Still, VMS does 'see' the new proposed password so it could do a few quick pattern detects to catch the blatantly obvious attempts to create an insecurely changed password:
for example If it gets xxxxx\d+xxxxx (\d being a series of one of more decimals) it could try the new password 'minus 1' or 'plus 1'.
Add to that filter the month / year in local and english language and I'm sure you can catch half of the updated passwords.

Cheers,
Hein.
Ian Miller.
Honored Contributor

Re: How to increase size when u get the error %SYSTEM-F-USEGENPWD, password history list is full;

using
"YS$PASSWORD_HISTORY_LIFETIME / SYS$PASSWORD_HISTORY_LIMIT should be less than or equal to shortest PWDLIFE"

say lifetime is 365 and shortest pwdlife is 30 days then limit should be at least 13 to store a years worth of passwords to make sure the users don't repeat.
____________________
Purely Personal Opinion