Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.

Password Requirements

A password must meet the following requirements:

Length. By default, a password must have at least six characters. Only the first eight characters are significant. (In other words, you can have a password that is longer than eight characters, but the system only checks the first eight.) Because the minimum length of a password can be changed by a system administrator, it may be different on your system.
Characters. A password must contain at least two letters (either upper- or lower-case) and at least one numeral or symbol such as @,#,%. For example, you can use dog#food or dog2food as a password, but you cannot use dogfood.
Not your login ID. A password cannot be the same as your login ID, nor can it be a rearrangement of the letters and characters of your login ID. (For the purpose of this criteria, upper and lower case letters are considered to be the same.) For example, if your login ID is Claire2 you cannot have e2clair as your password.
Different from old password. Your new password must differ from your old one by at least three characters. (For the purpose of this criterion, upper- and lower-case letters are considered to be the same.) For example, if your current password is Dog#fooD you can change it to dog#Meat but you cannot change it to daT#Food.

Bad Choices for Passwords

Bad choices for passwords include:

Any password based on your name
Names of family members or pets
Car license numbers
Telephone numbers
Social Security numbers
Employee numbers
Names related to a hobby or interest
Seasonal themes, such as Santa in December
Any word that is in a standard dictionary

Good Choices for Passwords

Good choices for passwords include:

Phrases plus numbers or symbols (beam#meup)
Nonsense words made up of the first letters of every word in a phrase plus a number or symbol (swotrb7 for SomeWhere Over The RainBow)
Words with numbers, or symbols substituted for letters (sn00py for snoopy)

Administering Passwords

This section describes how to administer passwords in an NIS+ namespace. This section assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that login passwords play in that system (see Chapter 11, NIS+ Security Overview, for this information).

Note - The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ namespace, use passwd -r nisplus.

`nsswitch.conf` File Requirements

In order to properly implement the passwd command and password aging on your network, the passwd entry of the nsswitch.conf file on every machine must be correct. This entry determines where the passwd command will go for password information and where it will update password information.

Only five passwd configurations are permitted:

passwd: files
passwd: files nis
passwd: files nisplus
passwd: compat
passwd: compat passwd_compat: nisplus

Caution - All of the nsswitch.conf files on all of your network's machines must use one of the passwd configurations shown above. If you configure the passwd entry in any other way, users may not be able to log in.

The `nispasswd` Command

All functions previously performed by the nispasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not nispasswd.

(The nispasswd command is still retained with all of its functionality for the purpose of backward compatibility.)

The `yppasswd` Command

All functions previously performed by the yppasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not yppasswd.

(The yppasswd is still retained with all of its functionality for the purpose of backward compatibility.)


16. Administering Passwords Using Passwords Changing Your Password


	Password Change Failures Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.) If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a `Too many failures - try later` or `Too many tries: try again later` message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.) Choosing a Password Many breaches of computer security involve guessing another user's password. While the `passwd` command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess. Password Requirements A password must meet the following requirements: Length. By default, a password must have at least six characters. Only the first eight characters are significant. (In other words, you can have a password that is longer than eight characters, but the system only checks the first eight.) Because the minimum length of a password can be changed by a system administrator, it may be different on your system. Characters. A password must contain at least two letters (either upper- or lower-case) and at least one numeral or symbol such as `@,#,%`. For example, you can use `dog#food` or `dog2food` as a password, but you cannot use `dogfood`. Not your login ID. A password cannot be the same as your login ID, nor can it be a rearrangement of the letters and characters of your login ID. (For the purpose of this criteria, upper and lower case letters are considered to be the same.) For example, if your login ID is `Claire2` you cannot have `e2clair` as your password. Different from old password. Your new password must differ from your old one by at least three characters. (For the purpose of this criterion, upper- and lower-case letters are considered to be the same.) For example, if your current password is `Dog#fooD` you can change it to `dog#Meat` but you cannot change it to `daT#Food`. Bad Choices for Passwords Bad choices for passwords include: Any password based on your name Names of family members or pets Car license numbers Telephone numbers Social Security numbers Employee numbers Names related to a hobby or interest Seasonal themes, such as Santa in December Any word that is in a standard dictionary Good Choices for Passwords Good choices for passwords include: Phrases plus numbers or symbols (`beam#meup`) Nonsense words made up of the first letters of every word in a phrase plus a number or symbol (`swotrb7` for SomeWhere Over The RainBow) Words with numbers, or symbols substituted for letters (`sn00py` for snoopy) Administering Passwords This section describes how to administer passwords in an NIS+ namespace. This section assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that login passwords play in that system (see Chapter 11, NIS+ Security Overview, for this information). Note - The `passwd` command now performs all functions previously performed by `nispasswd`. For operations specific to an NIS+ namespace, use `passwd` `-r` `nisplus`. `nsswitch.conf` File Requirements In order to properly implement the `passwd` command and password aging on your network, the `passwd` entry of the `nsswitch.conf` file on every machine must be correct. This entry determines where the `passwd` command will go for password information and where it will update password information. Only five `passwd` configurations are permitted: `passwd: files` `passwd: files nis` `passwd: files nisplus` `passwd: compat` `passwd: compat passwd_compat: nisplus` Caution - All of the `nsswitch.conf` files on all of your network's machines must use one of the `passwd` configurations shown above. If you configure the `passwd` entry in any other way, users may not be able to log in. The `nispasswd` Command All functions previously performed by the `nispasswd` command are now performed by the `passwd` command. When issuing commands from the command line, you should use `passwd`, not `nispasswd`. (The `nispasswd` command is still retained with all of its functionality for the purpose of backward compatibility.) The `yppasswd` Command All functions previously performed by the `yppasswd` command are now performed by the `passwd` command. When issuing commands from the command line, you should use `passwd`, not `yppasswd`. (The `yppasswd` is still retained with all of its functionality for the purpose of backward compatibility.)