User have the habit to break any security policy. At least as long you don't enforce it. One of the most annoying habit from the view of the security people is the tendency to choose weak passwords, the name of the boy or girl friend, the prefered brand of cars, birthdays ... you name it. This passwords are everything but secure. But you can configure Solaris to check the new passwords.
Specifing a password policy
There is a central file in Solaris controling the password policy. In
/etc/default/passwd
you define what requirements a password must fulfill before Solaris allows the user to set this password. Letīs have a look in the actual file of a standard solaris system. You have to log into your system as root. One important note for trying out this feature. You need to log into your system as a normal user in a different window.root can set any password without a check by the password policy thus it would look like that your configuration changes had no effect:
# cat passwd
[... omitted CDDL header ...]
#
MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
#NAMECHECK=NO
#HISTORY=0
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
You enable the checks by uncommenting it and set a reasonable value to the line. When you enable all the checks, itīs actually harder to find a valid password than a non-valid one. Whenever thinking about a really hard password policy you should take into consideration, that people tend to make notes about their password when they canīt remember it. And a strong password under the keyboard is obviously less secure than a weak password in the head of the user.
Parameter |
Description |
MAXWEEKS |
This variable specifies the maximum age for a password. |
MINWEEKS |
This variable specifies the minimum age for a password. The rationale for this settings gets clearer when i talk about the HISTORY setting |
PASSLENGTH |
The minimum length for a password |
HISTORY |
This variable specifies the length of a history buffer. You can specify a length of up to 26 passwords in the buffer. The MINWEEKS buffer is useful in conjunction with this parameter. There is a trick to circumvent this buffer and to get you old password back. Just change it as often as the length of the buffer plus one time. The MINWEEK parameter prevents this. |
WHITESPACE |
This variable defines if you you are allowed to use a whitespace in your password |
NAMECHECK |
When you set this variable to YES , the system checks if the password and login name are identical. So using the password root for the use root would be denied by this setting. The default, by the way is, yes |
Besides of this basic checks you can use
/etc/default/passwd/
enforce checks for the complexity of passwords. So you can prevent the user from setting to simple passwords.
Parameter |
Description |
MINDIFF |
Letīs assume youīve used 3 here. If your old password was batou001 , a new password would be denied, if you try to use batou002 as only on character was changed. batou432 would be a valid password. |
MINUPPER |
With this variable you can force the usage of upper case characters. Letīs assume youīve specified 3 here, a password like wasabi isnīt an allowed choice, but you could use WaSaBi |
MINLOWER |
With this variable you enable the check for the amount of lower case characters in your password. In the case youīve specified 2 here, a password like WASABI isnīt allowed, but you can use WaSaBI
|
MAXREPEATS |
Okay, some users try to use passwords like aaaaaa2= . Obviously this isnīt really a strong password. When you set this password to 2 you, it checks if at most 2 consecutive characters are identical. A password like waasabi would be allowed, but not a password like waaasabi |
MINSPECIAL |
The class SPECIAL consists out of characters like !=() . Letīs assume youīve specified 2, a password like !ns!st= would be fine, but the password insist is not a valid choice. |
MINDIGIT |
With this password you can specify the amount of the numbers in your password. Letīs a assume you specify 2, a password like snafu01 would will be allowed. A password like snafu1 will be denied. |
MINALPHA |
You can check with this variable for a minimum amount of alpha chars (a-z and A-Z) . When you set a value of 2 on this variable, a password like aa23213 would be allowed, a password like 0923323 would be denied |
MINNONALPHA |
This checks for the amount of non-alpha characters (0-9 and special chars). A value of 2 would lead to the denial of wasabi , but a password like w2sab! is okay |
Using wordlists
There is another way to force stronger passwords. You can deny every password that is located in a list of words. The program for changing password is capable to compare the new password against a list of words. With this function you can deny the most obvious choices of passwords. But you should initialize the dictionary with a list of words before you can use this feature.
# mkpwdict -s /usr/share/lib/dict/words
mkpwdict: using default database location: /var/passwd.
The file
/usr/share/lib/dicts/words
is a file in the Solaris Operating System containing a list of words. Itīs normally used by spell checking tools. Obviously you should use a workdlist in your own language, as user tend do choose words from their own language as passwords. So an english wordlist in Germany may be not that effective.You find a list of other wordlists
here
Now you have to tell Solaris to use this lists. There are some parameters in the
/etc/default/password
i didnīt covered before:
Parameter |
Description |
DICTIONLIST |
This variable can contain a list of dictionary files seperated by a comma. You must specify full pathnames. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word |
DICTIONDBDIR |
The directory where the generated dictionary databases reside |
When none of the both variables is specified in the
/etc/default/passwd
then no dictionary check is performed.
Letīs try it. Iīve uncommented the
DICTIONDBDIR
line of the
/etc/default/passwd
file and used the standard value
/var/passwd
. One of the word in the dictionary i imported is the word
airplane
:
$ passwd
passwd: Changing password for jmoekamp
Enter existing login password: chohw!2
New Password: airplane
passwd: password is based on a dictionary word.
Solaris denies the password as itīs based on a word in the imported dictionary.
The JET tutorial isnīt complete, but shorten the time a little bit for you, i wrote a tutorial about a small but nevertheless important topic - Passwords: Part 1: Introduction Part 2: Using strong password hashing Part 3: Using a password policy
Tracked: May 29, 10:06