Information Technology Reference
In-Depth Information
Password Administration
Password administration involves setting parameters to control password
aging, changing a user's password as needed, and possibly locking a user
account to prevent use.
Password Aging
The parameters of the
/etc/shadow
file determine the password aging
policy. These are set through the Account Security fields of the
admintool
command's Add or Modify User Account window. This includes how long a
password is valid (Max Change), how often it can be changed (Min Change),
and how long an account can be inactive before the password must be
changed (Max Inactive). These parameters enforce a policy for protecting
the integrity of passwords.
Note that of these three password-aging parameters, only Max Inactive can
be specified using the
useradd
command and modified using the
usermod
command.
Password Requirements
Unless specified by a superuser account such as
root
, passwords must meet
the following requirements:
A password must contain at least the number of characters specified by
the
PASSLENGTH
parameter contained in the
/etc/default/passwd
file.
The default is six. It is best to increase this value to eight.
➤
A password must contain at least two alphabetic characters and at least
one numeric character (within the first
PASSLENGTH
characters).
➤
A password cannot be the same as user account name, the reverse of the
user account name, or a circular shift of the user account name. Any
uppercase letters are mapped to lowercase letters for requirement check-
ing. This means that the password for the
guest
user account cannot be
guest, tseug, uestg, estgu, GUEST, and so on.
➤
A new password must be different by at least three characters from the
old password. Once again, uppercase and lowercase letters are equivalent
for requirement checking.
➤
Passwords can be any length, but only the first eight characters are significant. For
example, a password can be defined as
25administration
but
25admini
is actually
used to log into the system.