Enforcing password complexity on Solaris

Updated 18 Jan 2010 Read time 4 min(s) 36 sec(s) (2431 views). Security

To enforce password complexity on Solaris systems, you need to edit the /etc/default/passwd file and assign values to a series of settings that enforce length and complexity.

Solaris 10 is the first version of Solaris to provide a complex set of variables for controlling password strength. The /etc/default/passwd file contains a series of parameters (most commented out) when a system is first installed that allow you to exercise some fairly rigorous constraints on the passwords your users may select.

# cat /etc/default/passwd 
MAXWEEKS=
MINWEEKS=
PASSLENGTH=8
#NAMECHECK=NO
HISTORY=10
#MINDIFF=3
MINALPHA=2
MINNONALPHA=1
MINUPPER=1
MINLOWER=1
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd

The MAXWEEKS and MINWEEKS timing parameters control how often passwords can and must be changed. The password length is controlled by PASSLENGTH. The default six character setting is clearly far too small for today's security challenges. This should be changed to 12 to be in keeping with current best practice. Unlike Linux systems, however, 12 means 12. It's strictly a length measurement, not a complexity score.

The other set of parameters controls the number of letters, digits and other non-letters must be used, the number of both uppercase and lowercase characters are set separately with the MINUPPER and MINLOWER settings.

NAMECHECK - When set to YES, this setting causes the system to check whether the password and login name are identical. So using the password "alexander" for the user alexander would be denied by this setting. The default for this setting is yes. So, to change it, you would uncomment the line shown above.

HISTORY - Determines the length of the history buffer used to ensure that passwords are not repeated within a certain length of time. Setting HISTORY to 12 or 24 is probably good, but you also need to consider how long a new password would have to be kept to determine how long a user would have to wait to reuse a password. If HISTORY were set to 12, but MINWEEKS (see below) set to 0, a person could change his password twelve times in succession and get back to the original.

MINDIFF - Defines the minimum number of differences required between old and new passwords. If not set, it defaults to 3. This means that your users would have to change at least three characters when they create a new password. Going from newpassMay2012 to newpassJun2012 would be acceptable.

MINALPHA - Defines the minimum number of alphabetic characters. If not set, it defaults to 2.

MINNONALPHA - Defines the minimum number of non-alphabetic characters that must be included in a password. Non-alphabetic includes both digits and special characters. The default is one.

MINUPPER and MINLOWER - Define the minimum number of uppercase and lowercase characters required. Both default to 0. You can require a certain number of letters using MINALPHA, but their case would not considered unless one of these settings is also used.

MAXREPEATS - Determines the number of times you can consecutively use the same character (e.g., 111 or qqq). This is not checked by default.

MINDIGIT - Determines how many digits are required. If not set, no digits are required. However, of you have a MINNONALPHA setting, one digit or one special character would still be required.

MINSPECIAL - In similar manner to MINDIGIT, MINSPECIAL determines how many special characters are needed. It defaults to none.

WHITESPACE - Determines whether whitespace characters (blanks and tabs) are allowed in passwords. This setting defaults to YES.

Remove the # sign and adjust the settings to values that represent your security policies.

The following settings would require that a user change his password every 12 weeks (roughly three months), that he cannot change the password within two weeks of the most recent change. Two weeks prior to a user needing to change his password, he will be warned on logon that his password will soon be expiring. The most serious security issue with these settings is that a user who has reason to believe his account has been compromised will not be able to change his password to one that the expected hacker doesn't know.

MAXWEEKS=12
MINWEEKS=2
WARNWEEKS=2
PASSLENGTH=12

Now let's take a look at some settings that might work well for a site that is concerned about password strength. In the settings below, the 12 character passwords we are requiring must be different from previously used passwords by at least four characters. At least four of the 12 characters must be alphabetic, one of which must be uppercase and one which must be lowercase. We also need to use at least one digit and cannot have more than two characters in a row that are the same. The password Yr2000OldYear would work (even if the prior password was Yr2011NewYear).

MINDIFF=4
MINALPHA=4
MINNONALPHA=1
MINUPPER=1
MINLOWER=1
MAXREPEATS=2
#MINSPECIAL=0
MINDIGIT=1

You can also tell Solaris to use a word list to invalidate the use of words. This list can contain any types of words that you like, though it's of little use if it isn't fairly extensive. To create a word list for the password command to reference, use the mkpwdict (standing for "make password dictionary") and point it a your word file. You can have more than one. To use a file named /usr/share/lib/dict/words, you would type:

# mkpwddict -s /usr/share/lib/dict/words

You would then add DICTIONLIST or DICTIONDBDIR in your /etc/default/passwd file to identify your dictionary files or your dictionary directory.

DICTIONLIST=/usr/share/lib/dict/words

Solaris provides sufficient settings for ensuring that your users' passwords will be set to reasonably secure values.