Password Restrictions

[ITCareer]

Our security department has issued a mandate that all passwords must contain at least one numeric character, a special character and have both upper and lower case alpha characters.

Can an authentication method script be used to enforce these password standards? I can't find an argument variable that is passed that contains the user's password. I'm beginning to think these password restrictions can't be enforced.

 

[Chapter11]

/etc/security/user

The information you'll need to add isn't in there by default, but all of the relevant information is in the manpage for "passwd"

 

[ITCareer]

/etc/security/user allows password enforcement of length, how many alpha characters, how many non-alpha characters, etc. etc.

But it does not allow you to specify how many special characters like !@#$%^&*() must be in the password and how many numeric 0-9 and mixed case.

What I am wondering if there is a way to invoke a script to check on these things.

 

[Chapter11]

WYSIWYG.

Sorry. It doesn't get any more detailed than that.

 

[Yegolev]

Typically using non-alpha is good enough. I myself used an all-lower, all-alpha passwd for three years that was uncracked after repeated audits. I recently changed to one that uses mixed-case all-alpha and it has survived at least two crack attempts. Of course, telling your security team they are being paranoid won't do any good. IBM Certified -- AIX 4.3 Obfuscation