System Administration Guide
Chapter 1, Administering user accounts

Restricting password obviousness

Restricting password obviousness

An important part of password control is ensuring that passwords are difficult to guess without being too complex to remember. You can prevent users from using passwords that are too easy to guess, like dictionary words or system names.

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set Check for Obviousness to Yes to run complex checks on passwords. The meaning of Yes and No varies with the security profile level chosen. To use the system default value, set it to Default. The meaning can also be set independent of the security profile as described in ``Customizing password checking''.

To change the system default value, use this command line:

usermod -D -x "{passwdCheckedForObviousness value}"

where value is either 1 (use complex checks) or 0 (use less restrictive checks).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Table 1-1 Password checking by security profile

 Security        Check for Obviousness
 Defaults        No            Yes
 Low             -             -
 Traditional     System V      System V-plus
 Improved/High   goodpw weak   goodpw strong
System V (traditional UNIX System V checking) checks that a password:

System V-plus (System V with additions) checks that a password is:

goodpw weak checks that a password does:

goodpw strong (goodpw weak plus additional checks) checks that a password:

The goodpw(ADM) checks are defined in the /etc/default/goodpw file and supplemented or modified by files in the /usr/lib/goodpw directory. Refer to ``Customizing password checking'' for more information.

NOTE: Obviousness checking will prevent certain penetrations based on dictionary checking, but such repeated break-in attempts are better controlled with login limits -- see ``Setting login restrictions on terminals''. Obviousness checks increase the time required to change a password.

For information on using the command line interface, see the usermod(ADM) manual page.