Unix tip: Password complexity for users
On older Solaris systems, you would only see a few tunable parameters for controlling passwords. MINWEEKS determined the number of weeks that a user was required to keep his password. MAXWEEKS determined how many weeks could go by before he was forced to change it. And PASSLENGTH, of course, determined the minimum number of characters a password had to have to be accepted by the system. These settings limited the time that a user could keep a password and potentially kept him from changing his password on expiration and immediately changing it back to its original setting.
These settings are stored in several fields of the /etc/shadow file. The record below, for example, shows a password which just recently expired. It was last changed a little over a month ago (date), but was set to expire after 28 days (max). The user was prevented from changing his password within two weeks of setting it (min).
shs:K6be11OCyAwAY:14355:14:28::::
^ ^ ^
| | |
date min max
These settings might look like this in the /etc/default/passwd file:
MAXWEEKS=4 MINWEEKS=2 PASSLENGTH=6
Beyond this, the passwd command required that users include at least two letters and at least one number of special character. If a user trying to change his password didn't follow these rules, he would see a message such as this one:
passwd: The first 6 characters of the password must contain at least two alphabetic characters and at least one numeric or special character.
Solaris 10 offers a suite of settings that provide a lot more control over users' password choices. These settings, stored in the /etc/default/passwd file, allow you to your own rules.
On installation, the /etc/default/passwd file on a Solaris 10 system will have this group of settings all commented out.
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
These settings give you a lot of control over how passwords are set. The fields are used like this:
MINDIFF - Defines the minimum number of differences required between old and new passwords. If not set, it defaults to 3.
MINALPHA - Defines the minimum number of alphabetic characters. If not set, it defaults to 2.
MINNONALPHA - Defines the minimum number of non-alphabetic characters. In other words, digits and special characters. The default is one.
MINUPPER and MINLOWER - Define the minimum number of uppercase and lowercase characters required. Both default to 0. In other words, we might still require letters, but their case is not evaluated unless one of these settings is used.
MAXREPEATS - Determines the number of times you can consecutively use the same character (e.g., 111 or xxx).
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Passwords are obsolete
Perhaps some of your users might outsmart you and replace you with someone more in tune to their needs. Password authentication is obsolete for the Enterprise. When your users start writing their passwords down on a sticky pad because they can't remember them and have to change them so frequently the cleaning people now have the keys to your kingdom with after hours access to your passwords and your unused workstations. The more obnoxious you make your password change policies the higher the likely hood your precious passwords are scrawled on a slip of paper in a desk drawer or under a keyboard.If security is more than just lip service for your organization put your money where your mouth is and invest in technologies like SecurID tokens.
Obsolete?
Maybe so, but I have 20-30 passwords and no SecurID cards!I hear what you're saying and I don't suggest making passwords so difficult that users have no hope of remembering them. The options available for password control, however, give a wide range of choices and don't have to be used as a form of legal torture. It's just nice to know what is possible in terms of control. Even smart people can choose very stupid passwords.