An important part of password control is ensuring that
passwords are difficult to guess without being too
complex to remember.
You can prevent users from using
passwords that are too easy to guess, like dictionary
words or system names.
select a user name, then select Password Restrictions
from the Users menu, then select Selection.
Set Check for Obviousness to Yes to
run complex checks on passwords. The meaning of Yes
and No varies with the security profile level chosen.
To use the
system default value,
set it to Default.
The meaning can also be set independent of the
security profile as described in
``Customizing password checking''.
To change the system default value, use this command line:
where value is either 1 (use complex checks) or 0
(use less restrictive checks).
You can change the value for an individual user with the
command by omiting the -D option
and appending the user name to the above command.
Table 1-1 Password checking by security profile
Security Check for Obviousness
Defaults No Yes
Low - -
Traditional System V System V-plus
Improved/High goodpw weak goodpw strong
System V (traditional UNIX System V checking) checks
that a password:
is not a rotation of login name (moving characters from beginning to
end of the word and vice versa)
contains at least 2 alphabetic and 1 non-alphabetic characters
contains at least 3 characters different from old password
has a minimum length defined by PASSLENGTH in
/etc/default/passwd or, if PASSLENGTH is
undefined or set to an asterisk (*),
pass a special length check based on the delay between login attempts
and the password lifetime for that user
System V-plus (System V with additions)
checks that a password is:
not a palindrome
not a group or user name
goodpw weak checks that a password does:
not contain the strings ``SCO'', ``XENIX'', or ``UNIX''
(defined in /usr/lib/goodpw/reject)
not contain a user, group, machine, or alias name
pass special length checks based on character mixes (these override
the set minimum length and
are defined in /usr/lib/goodpw/match):
If a password consists of all alphabetic characters of the same case,
it must have a length of at least 6.
If the password consists of two types of alphanumeric characters,
it must have a length of at least 5.
If the password consists only of non-alphanumerics (symbols),
or a mixture of uppercase, lowercase and numerics,
it must have a length of at least 4.
goodpw strong (goodpw weak plus additional checks)
checks that a password:
does not contain a dictionary word
is not a rotation of a user, group, machine, alias name, or dictionary word
checks are defined in the /etc/default/goodpw file
and supplemented or modified by files in the /usr/lib/goodpw
directory. Refer to
``Customizing password checking''
for more information.
Obviousness checking will prevent certain penetrations based on
dictionary checking, but such repeated break-in attempts are
better controlled with login limits -- see
``Setting login restrictions on terminals''.
Obviousness checks increase the time required to change
For information on using the command line interface, see the