Setting recommended password options
Proper password management can only be accomplished through user education. To provide some additional security, the operating system provides configurable password restrictions. These allow the administrator to constrain the passwords chosen by users and to force passwords to be changed regularly.
Password options and extended user attributes are located in the /etc/security/user file, an ASCII file that contains attribute stanzas for users. These restrictions are enforced whenever a new password is defined for a user. All password restrictions are defined per user. By keeping restrictions in the default stanza of the /etc/security/user file, the same restrictions are enforced on all users. To maintain password security, all passwords must be similarly protected.
Administrators can also extend the password restrictions. Using the pwdchecks attribute of the /etc/security/user file, an administrator can add new subroutines (known as methods) to the password restrictions code. Thus, local site policies can be added to and enforced by the operating system. For more information, see Extending password restrictions.
Apply password restrictions sensibly. Attempts to be too restrictive, such as limiting the password space, which makes guessing the password easier, or forcing the user to select passwords that are difficult to remember, which might then be written down, can jeopardize password security. Ultimately, password security rests with the user. Simple password restrictions, coupled with sensible guidelines and an occasional audit to verify that current passwords are unique, are the best policy.
The following table lists recommended values for some security attributes related to user passwords in the /etc/security/user file.
| Attribute | Description | Recommended Value | Default Value | Maximum Value |
|---|---|---|---|---|
| dictionlist | Verifies passwords do not include standard UNIX words. | /usr/share/dict/words | Not applicable | Not applicable |
| histexpire | Number of weeks before password can be reused. | 26 | 0 | 260* |
| histsize | Number of password iterations allowed. | 20 | 0 | 50 |
| maxage | Maximum number of weeks before password must be changed. | 8 | 0 | 52 |
| maxexpired | Maximum number of weeks beyond maxage that an expired password can be changed by the user. (Root is exempt.) | 2 | -1 | 52 |
| maxrepeats | Maximum number of characters that can be repeated in passwords. | 2 | 8 | 8 |
| minage | Minimum number of weeks before a password can be changed. This should not be set to a nonzero value unless administrators are always easy to reach to reset an accidentally compromised password that was recently changed. | 0 | 0 | 52 |
| minalpha | Minimum number of alphabetic characters required on passwords. | 2 | 0 | PW_PASSLEN** |
| mindiff | Minimum number of characters in the new password that are distinct from the old password. | 0 | 0 | PW_PASSLEN** |
| minlen | Minimum length of password. | 6 (8 for root user) | 0 | PW_PASSLEN** |
| minother | Minimum number of non-alphabetic characters required on passwords. | 2 | 0 | PW_PASSLEN** |
| pwdwarntime | Number of days before the system issues a warning that a password change is required. | 5 | Not applicable | Not applicable |
| pwdchecks | This entry can be used to augment the passwd command with a custom code that checks the password quality. | For more information, see Extending password restrictions. | Not applicable | Not applicable |
* A maximum of 50 passwords retained.
** PW_PASSLEN is defined in the userpw.h file.
If text
processing is installed on the system, the administrator can use the /usr/share/dict/words file as a dictionlist dictionary
file. In such a case, the administrator can set the minother attribute to 0. Because most words in the dictionary
file do not contain characters that fall into the minother attribute
category, setting the minother attribute to 1 or more eliminates the need for the vast majority of words in this
dictionary file.
The minimum length of a password on the system is set by the value of the minlen attribute or the value of the minalpha attribute added to the value of the minother attribute, whichever is greater.
The maximum length of a password is the number of characters that is specified by the PW_PASSLEN attribute. The number of characters used when generating the stored password value is dependent on the password algorithm in use on the system. Password algorithms are defined in the /etc/security/pwdalg.cfg file and the default password algorithm to use can be configured through the pwd_algorithm attribute in the /etc/security/login.cfg file. The value of the minalpha attribute added to the value of the minother attribute must never be greater than the PW_PASSLEN attribute. If the value of the minalpha attribute added to the value of the minother attribute is greater than the PW_PASSLEN attribute, the value of the minother attribute is reduced to the value of the PW_PASSLEN attribute less the value of the minalpha attribute.
If the values of both the histexpire attribute and the histsize attribute are set, the system retains the number of passwords required to satisfy both conditions, up to the system limit of 50 passwords per user. Null passwords are not retained.
You can edit the /etc/security/user file to include any defaults you want to use to administer user passwords. Alternatively, you can change attribute values by using the chuser command.
Other commands that can be used with this file are the mkuser, lsuser, and rmuser commands. The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.