Less known Solaris features: On passwords - Part 3: Using a password policy
User have the habit to break any security policy. At least as long you don’t enforce it. One of the most annoying habit from the view of the security people is the tendency to choose weak passwords, the name of the boy or girl friend, the prefered brand of cars, birthdays … you name it. This passwords are everything but secure. But you can configure Solaris to check the new passwords.
Specifing a password policy
There is a central file in Solaris controling the password policy. In
/etc/default/passwd you define what requirements a password must fulfill before Solaris allows the user to set this password. Let´s have a look in the actual file of a standard solaris system. You have to log into your system as root. One important note for trying out this feature. You need to log into your system as a normal user in a different window.root can set any password without a check by the password policy thus it would look like that your configuration changes had no effect:
You enable the checks by uncommenting it and set a reasonable value to the line. When you enable all the checks, it´s actually harder to find a valid password than a non-valid one. Whenever thinking about a really hard password policy you should take into consideration, that people tend to make notes about their password when they can´t remember it. And a strong password under the keyboard is obviously less secure than a weak password in the head of the user.
MINWEEKSbuffer is useful in conjunction with this parameter. There is a trick to circumvent this buffer and to get you old password back. Just change it as often as the length of the buffer plus one time. The
MINWEEKparameter prevents this.
YES, the system checks if the password and login name are identical. So using the password
rootfor the use
rootwould be denied by this setting. The default, by the way is,
Besides of this basic checks you can use
/etc/default/passwd/ enforce checks for the complexity of passwords. So you can prevent the user from setting to simple passwords.
batou001, a new password would be denied, if you try to use
batou002as only on character was changed.
batou432would be a valid password.
wasabiisn´t an allowed choice, but you could use
WASABIisn´t allowed, but you can use
aaaaaa2=. Obviously this isn´t really a strong password. When you set this password to 2 you, it checks if at most 2 consecutive characters are identical. A password like
waasabiwould be allowed, but not a password like
SPECIALconsists out of characters like
!=(). Let´s assume you´ve specified 2, a password like
!ns!st=would be fine, but the password
insistis not a valid choice.
snafu01would will be allowed. A password like
snafu1will be denied.
aa23213would be allowed, a password like
0923323would be denied
wasabi, but a password like
Using wordlistsThere is another way to force stronger passwords. You can deny every password that is located in a list of words. The program for changing password is capable to compare the new password against a list of words. With this function you can deny the most obvious choices of passwords. But you should initialize the dictionary with a list of words before you can use this feature.
/usr/share/lib/dicts/wordsis a file in the Solaris Operating System containing a list of words. It´s normally used by spell checking tools. Obviously you should use a workdlist in your own language, as user tend do choose words from their own language as passwords. So an english wordlist in Germany may be not that effective.You find a list of other wordlists here
Now you have to tell Solaris to use this lists. There are some parameters in the
/etc/default/passwordi didn´t covered before:
When none of the both variables is specified in the
/etc/default/passwdthen no dictionary check is performed. Let´s try it. I´ve uncommented the
DICTIONDBDIRline of the
/etc/default/passwdfile and used the standard value
/var/passwd. One of the word in the dictionary i imported is the word
Solaris denies the password as it´s based on a word in the imported dictionary.