How to enforce password complexity on Solaris

By  

To ensure the security of passwords on Solaris systems, you need to edit the /etc/default/passwd file and assign values to a series of settings that enforce length and complexity.

The MAXWEEKS and MINWEEKS timing parameters control how often passwords can and must be changed. The password length is controlled by PASSLENGTH. The default six character setting is clearly far too small for today's security challenges. This should be changed to 12 to be in keeping with current best practice. Unlike Linux systems, however, 12 means 12. It's strictly a length measurement, not a complexity score.

MAXWEEKS=4
MINWEEKS=2
PASSLENGTH=6

The other set of parameters controls the number of letters, digits and other non-letters must be used, the number of both uppercase and lowercase characters are set separately with the MINUPPER and MINLOWER settings.

#NAMECHECK=NO
#HISTORY=0
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES

NAMECHECK - When set to YES, this setting causes the system to check whether the password and login name are identical. So using the password "henrystocker" for the user henrystocker would be denied by this setting. The default for this setting is yes. So, to change it, you would uncomment the line shown above.
HISTORY - Determines the length of the history buffer used to ensure that passwords are not repeated within a certain length of time. Setting HISTORY to 12 or 24 is probably good, but you also need to consider how long a new password would have to be kept to determine how long a user would have to wait to reuse a password. If HISTORY were set to 12, but MINWEEKS (see below) set to 0, a person could change his password twelve times in succession and get back to the original.
MINDIFF - Defines the minimum number of differences required between old and new passwords. If not set, it defaults to 3. This means that your users would have to change at least three characters when they create a new password. Going from LogMeOnMay2012 to LogMeOnJun2012 would be acceptable.
MINALPHA - Defines the minimum number of alphabetic characters. If not set, it defaults to 2.
MINNONALPHA - Defines the minimum number of non-alphabetic characters that must be included in a password. Non-alphabetic includes both digits and special characters. The default is one.
MINUPPER and MINLOWER - Define the minimum number of uppercase and lowercase characters required. Both default to 0. You can require a certain number of letters using MINALPHA, but their case would not considered unless one of these settings
is also used.
MAXREPEATS - Determines the number of times you can consecutively use the same character (e.g., 111 or qqq). This is not checked by default.
MINDIGIT - Determines how many digits are required.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness