Recent blog posts

Unix tip: Password complexity for users

By Sandra Henry-Stocker  2 comments

May 27, 2009, 7:23 PM On older Solaris systems, you would only see a few tunable parameters for controlling passwords. MINWEEKS determined the number of weeks that a user was required to keep his password. MAXWEEKS determined how many weeks could go by before he was forced to change it. And PASSLENGTH, of course, determined the minimum number of characters a password had to have to be accepted by the system. These settings limited the time that a user could keep a password and potentially kept him from changing his password on expiration and immediately changing it back to its original setting.

These settings are stored in several fields of the /etc/shadow file. The record below, for example, shows a password which just recently expired. It was last changed a little over a month ago (date), but was set to expire after 28 days (max). The user was prevented from changing his password within two weeks of setting it (min).

shs:K6be11OCyAwAY:14355:14:28::::
                   ^    ^   ^
                   |    |   |
                  date min max

These settings might look like this in the /etc/default/passwd file:

MAXWEEKS=4
MINWEEKS=2
PASSLENGTH=6

Beyond this, the passwd command required that users include at least two letters and at least one number of special character. If a user trying to change his password didn't follow these rules, he would see a message such as this one:

passwd: The first 6 characters of the password must contain at
least two alphabetic characters and at least one numeric or
special character.

Solaris 10 offers a suite of settings that provide a lot more control over users' password choices. These settings, stored in the /etc/default/passwd file, allow you to your own rules.

On installation, the /etc/default/passwd file on a Solaris 10 system will have this group of settings all commented out.

#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES

These settings give you a lot of control over how passwords are set. The fields are used like this:

MINDIFF - Defines the minimum number of differences required between old and new passwords. If not set, it defaults to 3.
MINALPHA - Defines the minimum number of alphabetic characters. If not set, it defaults to 2.
MINNONALPHA - Defines the minimum number of non-alphabetic characters. In other words, digits and special characters. The default is one.
MINUPPER and MINLOWER - Define the minimum number of uppercase and lowercase characters required. Both default to 0. In other words, we might still require letters, but their case is not evaluated unless one of these settings is used.
MAXREPEATS - Determines the number of times you can consecutively use the same character (e.g., 111 or xxx). This is not checked by default.
MINDIGIT - Determines how many digits are required. If not set, no digits are required. However, we still likely have a MINNONALPHA setting, so one digit or one special character is likely required.
MINSPECIAL - In similar manner to MINDIGIT, MINSPECIAL determines how many special characters are needed and defaults to none.
WHITESPACE - Determines whether whitespace characters (blanks and tabs) are allowed.

We still have the MAXWEEKS and MINWEEKS settings and also the PASSLENGTH that earlier versions of Solaris include.

The Solaris 10 /etc/default/passwd file also contains a setting for NAMECHECK. This is the setting that allows or disallows passwords which are the same as or a circular shift of the username. This is not new, you say? Ah, yes, you're right. What is new is that this allows you to turn this checking off. Not that you'd want to, but you can if you are so inclined.

There's also a WARNWEEKS setting that can be used to determine when a user will be warned about when his password will expire. You might, for example, want to warn him a week or two ahead of time.

The other new and interesting setting is one called HISTORY. This setting allows you to prevent the user from repeating passwords. You set a depth, say 8, which would mean that the system would "remember" the user's last eight passwords and would not allow a new password to be a repeat of any in this set. The passwords themselves are kept in hash form in a file called /etc/security/passhistory. It might look something like this:

shs:bwQb4CuIarli2:EuFLxSrsGyKg2:stzheFITH4.s.:K6be13OCyAmAY:jYLCn8bqEqBCg:DBQRGX
Twtp5as:9EpFTsPvStZhQ:v7LCXZDyav.DI:JPPDCsc4W6BsU:MN9D4nIR/TemU:MNGBAL/xYFQm2:

Now, how clever is that? Maybe we'll finally outsmart our more stubborn users.

2 comments

    Anonymous 2 years ago
    Perhaps some of your users might outsmart you and replace you with someone more in tune to their needs. Password authentication is obsolete for the Enterprise. When your users start writing their passwords down on a sticky pad because they can't remember them and have to change them so frequently the cleaning people now have the keys to your kingdom with after hours access to your passwords and your unused workstations. The more obnoxious you make your password change policies the higher the likely hood your precious passwords are scrawled on a slip of paper in a desk drawer or under a keyboard. If security is more than just lip service for your organization put your money where your mouth is and invest in technologies like SecurID tokens.
    Flag comment  |  Permalink Reply
    Sandra Henry-Stocker
    Sandra Henry-Stocker TRUSTED USER 2 years ago in reply to Anonymous
    Maybe so, but I have 20-30 passwords and no SecurID cards!I hear what you're saying and I don't suggest making passwords so difficult that users have no hope of remembering them. The options available for password control, however, give a wide range of choices and don't have to be used as a form of legal torture. It's just nice to know what is possible in terms of control. Even smart people can choose very stupid passwords.
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      IT Management/StrategyWhite Papers & Webcasts

      White Paper

      Evaluator Group: Storage Federation - IT Without Limits (Analysis of HP Peer Motion with Storage Federation)

      As the role of IT increases within organizations, the need to move data when and where it is needed is critical to support emerging business requirements. This has become increasingly difficult due to the huge growth of data volumes. This white paper sponsored by HP + Intel evaluates a solution that aims to enable the movement of data without physical limitations. Read now and see how this could enable agility and efficiency.

      White Paper

      ESG Lab Validation Report: HP Data Protector & Deduplication Solutions

      Many organizations have deployed disk-to-disk backup technologies to improve the speed and reliability of their backup and disaster recovery operations. A growing number of these now look to data deduplication to enhance retention periods and reduce costs. This ESG Lab Validation Report sponsored by HP + Intel examines a number of backup and recovery solutions and evaluates their ease of implementation as well as their ability to improve reliability and reduce costs.

      White Paper

      Business Value of Blade

      The nature of the blade platform makes system management, monitoring and provisioning easy and efficient. Access this resource to learn how blade migration will save your data center time and money while increasing performance.

      White Paper

      Accelerate time to application value

      For your IT organization to keep pace with the business, you need a new, faster approach to infrastructure deployment-an approach that increases agility and accelerates time to application value. That's HP Converged Systems. Built on Converged Infrastructure, these systems deliver the industry's first portfolio of pre-integrated, tested, and optimized infrastructure solutions for applications running in virtual, cloud, dedicated, or hybrid environments.

      White Paper

      Converged Infrastructure for Dummies

      As you know, everything is mobile, connected, interactive, and immediate. This is exactly why organizations need a highly agile IT infrastructure in order to keep pace with extreme fluctuations in business demand. This book will help you understand why infrastructure convergence has been widely accepted as the optimal approach for simplifying and accelerating your IT to deliver services at the speed of business while also shifting significantly more IT resources from operations to innovation.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How well does facial recognition work for device security?
      0 answers
      What type of enterprise user is going to use Ubuntu Business Desktop Remix?
      1 answer
      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      2 answers
      What can be done to control noise levels in data centers?
      1 answer
      What mobile apps are the worst offenders to user privacy?
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question