Restricting password obviousness

System Administration Guide
Chapter 1, Administering user accounts

An important part of password control is ensuring that passwords are difficult to guess without being too complex to remember. You can prevent users from using passwords that are too easy to guess, like dictionary words or system names.

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set Check for Obviousness to Yes to run complex checks on passwords. The meaning of Yes and No varies with the security profile level chosen. To use the system default value, set it to Default. The meaning can also be set independent of the security profile as described in ``Customizing password checking''.

To change the system default value, use this command line:

usermod -D -x "{passwdCheckedForObviousness value}"

where value is either 1 (use complex checks) or 0 (use less restrictive checks).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Table 1-1 Password checking by security profile

 Security        Check for Obviousness
 Defaults        No            Yes
 -------------------------------------------
 Low             -             -
 Traditional     System V      System V-plus
 Improved/High   goodpw weak   goodpw strong

System V (traditional UNIX System V checking) checks that a password:

is not a rotation of login name (moving characters from beginning to end of the word and vice versa)
contains at least 2 alphabetic and 1 non-alphabetic characters
contains at least 3 characters different from old password
has a minimum length defined by PASSLENGTH in /etc/default/passwd or, if PASSLENGTH is undefined or set to an asterisk (*), pass a special length check based on the delay between login attempts and the password lifetime for that user

System V-plus (System V with additions) checks that a password is:

not a palindrome
not a group or user name

goodpw weak checks that a password does:

not contain the strings ``SCO'', ``XENIX'', or ``UNIX'' (defined in /usr/lib/goodpw/reject)
not contain a user, group, machine, or alias name
pass special length checks based on character mixes (these override the set minimum length and are defined in /usr/lib/goodpw/match):
- If a password consists of all alphabetic characters of the same case, it must have a length of at least 6.
- If the password consists of two types of alphanumeric characters, it must have a length of at least 5.
- If the password consists only of non-alphanumerics (symbols), or a mixture of uppercase, lowercase and numerics, it must have a length of at least 4.

goodpw strong (goodpw weak plus additional checks) checks that a password:

does not contain a dictionary word
is not a rotation of a user, group, machine, alias name, or dictionary word

The goodpw(ADM) checks are defined in the /etc/default/goodpw file and supplemented or modified by files in the /usr/lib/goodpw directory. Refer to ``Customizing password checking'' for more information.

NOTE: Obviousness checking will prevent certain penetrations based on dictionary checking, but such repeated break-in attempts are better controlled with login limits -- see ``Setting login restrictions on terminals''. Obviousness checks increase the time required to change a password.

For information on using the command line interface, see the usermod(ADM) manual page.