How to enforce password complexity in Solaris

enforce password complexity solaris 11 -

This tutorial focuses on how to enforce password complexity in Solaris OS.

If your question is one of the following, then this tutorial is for you:

Password Complexity in Solaris
Enforce Password Policy in Solaris OS
How to check password policy in Solaris 11
Solaris 11 password policy settings
Specifying Password Criteria and Defaults in Solaris

Table of Contents

Enforce Password Complexity and Defaults in Solaris

To ensure the security of passwords on Solaris systems, you need to edit the /etc/default/passwd file and assign values to a series of settings that enforce length and complexity.

Let’s understand each complexity parameter:-

MAXWEEKS (or MAXDAYS)

The maximum number of days the password can be used without changing it.

MINWEEKS (or MINDAYS)

The minimum number of days since the last change must pass before the password can be changed again.

WARNWEEKS (or WARNDAYS)

The number of days’ notice that users are given before their passwords have to be changed.

PASSLENGTH

PASSLENGTH controls the password length. It’s strictly a length measurement, not a complexity score.

NAMECHECK

NAMECHECK enables/disables login name checking. When set to YES, this setting causes the system to check whether the password and login name are identical.

HISTORY

HISTORY sets the number of prior password changes to keep and check for a user when changing passwords. It determines the length of the history buffer used to ensure that passwords are not repeated within a certain length of time. If HISTORY is set to 5, but MINWEEKS is set to 0, a person could change his password 5 times in succession and get back to the original password without wait.

Password complexity tunables:

MINDIFF
MINALPHA
MINNONALPHA
MINUPPER
MINLOWER
MAXREPEATS
MINSPECIAL
MINDIGIT
WHITESPACE

MINDIFF – Defines the minimum number of differences required between old and new passwords. This means that your users would have to change at least three characters when they create a new password.

MINALPHA – Defines the minimum number of alphabetic characters.

MINNONALPHA – Defines the minimum number of non-alphabetic characters that must be included in a password. Non-alphabetic includes both digits and special characters.

MINUPPER and MINLOWER – Define the minimum number of uppercase and lowercase characters required. You can require a certain number of letters using MINALPHA, but their case would not be considered unless one of these settings is also used.

MAXREPEATS – Determines the number of times you can consecutively use the same character (e.g., 111 or qqq).

MINSPECIAL – In a similar manner to MINDIGIT, MINSPECIAL determines how many special characters are needed.

MINDIGIT – Determines how many digits are required. If not set, no digits are required. However, if you have a MINNONALPHA setting, one digit or one special character would still be required.

WHITESPACE – Determines whether whitespace characters (blanks and tabs) are allowed in passwords.

DICTIONDBDIR (or DICTIONLIST )

You can also tell Solaris to use a word list to invalidate the use of words. This list can contain any type of words that you like, though it’s of little use if it isn’t fairly extensive. To use a file named /usr/share/lib/dict/words, you would type: