Re: [Fed-Talk] Password Complexity?
Re: [Fed-Talk] Password Complexity?
- Subject: Re: [Fed-Talk] Password Complexity?
- From: Michael <email@hidden>
- Date: Thu, 11 Jan 2007 13:02:05 -0500
On Jan 11, 2007, at 12:21 PM, Cardona, Cris Mr Nortel Government
Solutions wrote:
I'm setting password complexity on the MAC using the pwpolicy command.
Is there a way to set special characters in the pwpolicy? The only
settings I know of are these. I haven't found a way to set special
characters. The policy requires 2 special characters.
I previously have pointed out that the lack of a special character
requirement. The point was made that if you need these requirements
then you should setup a server to handle authorization which is
totally useless when people need a laptop on travel and are off the
Internet (or desktop machines isolated from the local network or that
move between different isolated networks). (why require additional
hardware and expense to configure password requirements when that is
not needed for Windows and Unix/Linux).
usingHistory=value
minChars=value
requiresAlpha=value
requiresNumeric=value
passwordCannotBeName=value
maxFailedLoginAttempts=value
requiresMixedCase=value
but I don't think it works on an isolated system and appears to be
unsetable.
Another is:
maxMinutesUntilChangePassword=value
One thing to watch for is when an exception is generated and an
account is locked out via a pwpolicy policy event that account
disappears from Accounts in System Preferences and you have to
reenable using pwpolicy.
You should also disable the weak and unneeded hashes:
pwpolicy -getglobalhashtypes
pwpolicy -setglobalhashtypes SMB-NT off SMB-LAN-MANAGER off
Check users with:
pwpolicy -n /NetInfo/DefaultLocalNode -gethashtypes -u username
Obviously if you're using some type of remote authentication
LocalNode is probably not what you want. But then for laptops on
travel remote auth is hardly useful.
When you change a password on OS X it stores it in three different
hashes, the one labeled "SMB-LAN-MANAGER" is the weak LANMAN hash,
very breakable. I don't know how hard the "SMB-NT" hash is to break
but I disable it as we don't need it.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden