Support for passwords greater than 8 characters

Technote (FAQ)


Question

What is the procedure for configuring passwords greater than 8 characters?
Are there any other password encryption methods available to use in AIX?
What are the new attributes you can use to restrict passwords?

Answer

Loadable Password Algorithms
In AIX 5.2 and 5.3 (pre TL7), there was an 8 character password limitation when using the one-way hash function crypt().

AIX 5.3 TL7 and AIX 6.1 introduce Loadable Password Algorithm (LPA). Each supported password encryption algorithm is implemented as a LPA module that is loaded at runtime when the algorithm is needed. The supported LPAs, and its attributes, are defined in system configuration file /etc/security/pwdalg.cfg.


Comparison of Password Algorithms

Below is a comparison chart of features between the algorithms.


NOTE: Without the pwd_algorithm entry in /etc/security/login, the default value is "crypt" which is the legacy crypt() function.

Once the system password algorithm has been changed it will be used the next time a user changes his/her password. Until then they will continue to use their original password and hashing algorithm.


Example Application

Applying one of the new passwd hashing algorithms

To select a different LPA, the system administrator can either use the chsec command or manually edit the /etc/security/login.cfg file.

Using the chsec command
Use the following chsec command to set "smd5" LPA as the system wide
password encryption module:

# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5

When using the chsec command to modify the pwd_algorithm attribute, the command checks the /etc/security/pwdalg.cfg to verify the chosen LPA. The command fails if the check is failed.

Using an editor
When administrator manually changes the pwd_algorithm attribute value in
/etc/security/login.cfg using an editor, please make sure that the chosen value is a name of a stanza that is defined in /etc/security/pwdalg.cfg file.


New Password Attributes

New values for attributes related to passwd length have also been changed. The
following attributes in the /etc/security/user configuration file are effected:

maxrepeats - Defines the maximum number of times a given character can appear in a password.
PREV range 0 - 8, Default is 8,
NEW range 0 - PW_PASSLEN, Default is PW_PASSLEN

minalpha - Defines the minimum number of alphabetic characters in a password.
PREV range 0 - 8, Default is 8
NEW range 0 - PW_PASSLEN, Default is 0

minlen - Defines the minimum length of a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0.

minother - Defines the minimum number of non-alphabetic characters in a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0

mindiff - Defines the minimum number of characters in the new password that were not in
the old password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0

Rate this page:

(0 users)Average rating

Document information


More support for:

AIX family

Software version:

5.3, 6.1

Operating system(s):

AIX

Reference #:

T1010741

Modified date:

2013-04-18

Translate my page

Machine Translation

Content navigation