How to enforce password complexity on Solaris

By  

If not set, no digits are required. However, of you have a MINNONALPHA setting, one digit or one special character would still be required.
MINSPECIAL - In similar manner to MINDIGIT, MINSPECIAL determines how many special characters are needed. It defaults to none.
WHITESPACE - Determines whether whitespace characters (blanks and tabs) are allowed in passwords. This setting defaults to YES.

Remove the # sign and adjust the settings to values that represent your security policies.

The following settings would require that a user change his password every 12 weeks (roughly three months), that he cannot change the password within two weeks of the most recent change. Two weeks prior to a user needing to change his password, he will be warned on logon that his password will soon be expiring. The most serious security issue with these settings is that a user who has reason to believe his account has been compromised will not be able to change his password to one that the expected hacker doesn't know.

MAXWEEKS=12
MINWEEKS=2
WARNWEEKS=2
PASSLENGTH=12

Now let's take a look at some settings that might work well for a site that is concerned about password strength. In the settings below, the 12 character passwords we are requiring must be different from previously used passwords by at least four characters. At least four of the 12 characters must be alphabetic, one of which must be uppercase and one which must be lowercase. We also need to use at least one digit and cannot have more than two characters in a row that are the same. The password Yr2012Dragon would work (even if the prior password was Yr2011Rabbit).

MINDIFF=4
MINALPHA=4
MINNONALPHA=1
MINUPPER=1
MINLOWER=1
MAXREPEATS=2
#MINSPECIAL=0
MINDIGIT=1

You can also tell Solaris to use a word list to invalidate the use of words. This list can contain any types of words that you like, though it's of little use if it isn't fairly extensive. To create a word list for the password command to reference, use the mkpwdict (standing for "make password dictionary") and point it a your word file. You can have more than one. To use a file named /usr/share/lib/dict/words, you would type:

# mkpwddict -s /usr/share/lib/dict/words

You would then add DICTIONLIST or DICTIONDBDIR in your /etc/default/passwd file to identify your dictionary files or your dictionary directory.

DICTIONLIST=/usr/share/lib/dict/words

Solaris provides sufficient settings for ensuring that your users' passwords will be set to reasonably secure values. You're bound to get some kickback. No one likes to be forced to change their passwords every few months or be forced to include digits or special characters. But if you remind your users why it's important and provide them with tips on how to make security passwords that they have a chance of remembering, you will probably get their cooperation.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question