Under 10.5 the syntax I used is:
pwpolicy -n /Local/Default -setglobalpolicy minChars=8
NOTE: with your settings the users are locked out of their computers
exactly 30 days to the minute after they last changed their password.
No warning will be given by OS X at login or at any other time.
This means if the screen saver kicks in the user is locked out right
then and there.
Consider a user giving a presentation in your conference room with a
laptop, a discussion starts and the screen saver kicks in, the user is
locked out of that computer completely until you figure out how to
unlock it if you are even available.
Or the user comes into their office logs in, and then goes to a
meeting, two hours later they return to their office to find they can't
get into the computer.
Unlocking an account is not as simple as just going in with an admin
account and resetting the password, in my experience OS X prevents that.
I've dealt with this under 10.4 and 10.5, if you haven't practiced by
setting the lock time to 1 day (1440 minutes for example) and then
actually unlocking that test user account the next day you are not
ready for this. I learned the hard way.
To put this in perspective, it is less invasive to set the screen saver
to lock after 1 minute of inactivity then to lock the user account
because the password hasn't changed in 30 days.
The only good thing is if your local policy is indeed 30 days and you
go forward with enforcing this at the OS level, you won't have time to
forgot what you did before the effects are felt.
Michael
ps. 6 characters is a very short password
pps. this ever decreasing time between password changes is
counterproductive, because of the difficulty in creating strong and
rememberable passwords this forces the users to figure ways around the
system and violating the intent and the specific rules that are far
more important but not implementable in software--a number of articles
have been written on this subject. If a user has access to say 10
computers, the more often they have to change the password the less
likely the passwords will be different between unrelated computers.
The longer the passwords have to be the same applies; however, 6
characters is far too short. To put even the 6 character limit in
perspective, consider a user with access to 10 computers, in essence
the user has to remember a new 60 character password every 30 days.
What about someone with access to 20 different computer systems, or
even more I like handle. For a test, write down ten 6-character
passwords that follow your rules and are not trivially guessable, close
the paper, walk away and tomorrow write those down again without
looking at the first sheet. Unfortunately those that make the rules
are never tested to see if they have the skills to follow the rules
they make.
For real excitement change the passwords on several of your computers
at 3 PM on Friday, can you get back in Monday morning? Even better
yet do that before a vacation.
One has to consider why passwords should be changed this often, one
reason is that the password could be compromised by system access in
which case the time to change the password could be set to be roughly
equal to the time required to crack the password hash which is highly
system dependent and using a rainbow tables can make that to be minutes
<
http://en.wikipedia.org/wiki/Rainbow_table>
<
http://www.codinghorror.com/blog/archives/000949.html>.
Another possible compromise is the password can be obtained by
observation (windowless offices and no cubicles anyone), but if that
happens on day 1 then the system is accessible for 29 days. In both
these cases longer passwords are better and changing short passwords
more often is worse.