IBM Support

Support for passwords greater than 8 characters

Question & Answer


Question

What is the procedure for configuring passwords greater than 8 characters? Are there any other password encryption methods available to use in AIX? What are the new attributes you can use to restrict passwords?

Answer

Loadable Password Algorithms

In AIX 5.2 and 5.3 (pre TL7), there was an 8 character password limitation when using the one-way hash function crypt().

AIX 5.3 TL7 and AIX 6.1 introduce Loadable Password Algorithm (LPA). Each supported password encryption algorithm is implemented as a LPA module that is loaded at runtime when the algorithm is needed. The supported LPAs, and its attributes, are defined in system configuration file /etc/security/pwdalg.cfg.


Comparison of Password Algorithms

Below is a comparison chart of features between the algorithms.


NOTE: Without the pwd_algorithm entry in /etc/security/login.cfg, the default value is "crypt" which is the legacy crypt() function.

Once the system password algorithm has been changed it will be used the next time a user changes his/her password. Until then they will continue to use their original password and hashing algorithm.


Example Application

Applying one of the new passwd hashing algorithms

To select a different LPA, the system administrator can either use the chsec command to change it in the /etc/security/login.cfg file.

The SMIT menus can also be used, following
# smitty -> Security & Users -> Passwords -> System Password Policy

or the shortcut
# smitty sys_pwd

and set this value:

* Password Algorithm            [ssha512]     +

ESC-4 or F4 on that item will give you a list of the available password algorithms.


Using the chsec command
Use the following chsec command to set "smd5" LPA as the system wide
password encryption module:

# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5

When using the chsec command to modify the pwd_algorithm attribute, the command checks the /etc/security/pwdalg.cfg to verify the chosen LPA. The command fails if the check is failed.


New Password Attributes

New values for attributes related to passwd length have also been changed. The
following attributes in the /etc/security/user configuration file are effected:

maxrepeats - Defines the maximum number of times a given character can appear in a password.
PREV range 0 - 8, Default is 8,
NEW range 0 - PW_PASSLEN, Default is PW_PASSLEN

minalpha - Defines the minimum number of alphabetic characters in a password.
PREV range 0 - 8, Default is 8
NEW range 0 - PW_PASSLEN, Default is 0

minlen - Defines the minimum length of a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0.

minother - Defines the minimum number of non-alphabetic characters in a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0

mindiff - Defines the minimum number of characters in the new password that were not in
the old password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0

These attributes can be set in the same SMIT screen as the password algorithm above.

KEYWORDS: MD5 SHA1 SHA256 SHA512 Blowfish smd5 ssha1 ssha256 crypt

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.3;6.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1010741