Re: [Fed-Talk] RE: How to configure complex password requirements?
Re: [Fed-Talk] RE: How to configure complex password requirements?
- Subject: Re: [Fed-Talk] RE: How to configure complex password requirements?
- From: "DeMattia, Edmond G." <email@hidden>
- Date: Mon, 24 Jan 2011 15:11:45 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] RE: How to configure complex password requirements?
The [A-Z][a-z] and the [0-9] settings were clear. I didn't see how to
implement a special character. As it stands, it appears you can only
enforce 2 character sets as the [A-Z] and [a-z] are not treated
independently.
On 1/24/11 2:44 PM, "Dan O'Donnell" <email@hidden> wrote:
>The man pages will tell you what pwpolicy can do, and how to apply the
>policies you want. Check 'man pwpolicy' from the Terminal - it appears
>that
>upper case, lower case and numerics can be required password policy
>settings, but not symbols:
>
>Global Policies
>requiresAlpha If 1, user's password is required to have a character
>in
>[A-Z][a-z].
>
>requiresNumeric If 1, user's password is required to have a character
>in
>[0-9].
>
>
>
>
>
>Some other policy settings that pwpolicy can implement (found with man
>pwpolicy):
>
>usingHistory 0 = user can reuse the current password, 1 = user cannot
>reuse the current password, 2-15 = user cannot reuse the last n passwords.
>
>usingExpirationDate If 1, user is required to change password on the
>date in expirationDateGMT
>
>usingHardExpirationDate If 1, user's account is disabled on the date
>in
>hardExpireDateGMT
>
>expirationDateGMT Date for the password to expire, format must be:
>mm/dd/yy
>
>hardExpireDateGMT Date for the user's account to be disabled, format
>must be: mm/dd/yy
>
>maxMinutesUntilChangePassword user is required to change the password
>at
>this interval
>
>maxMinutesUntilDisabled user's account is disabled after this interval
>
>maxMinutesOfNonUse user's account is disabled if it is not accessed
>by
>this interval
>
>maxFailedLoginAttempts user's account is disabled if the failed login
>count exceeds this number
>
>MinChars passwords must contain at least minChars
>
>maxChars passwords are limited to maxChars
>
>Additional User Policies isDisabled If 1, user account is not allowed
>to
>authenticate, ever.
>
>isAdminUser If 1, this user can administer accounts on the password
>server.
>
>newPasswordRequired If 1, the user will be prompted for a new password
>at the next authentication. Applications that do not support change
>password
>will not authenticate.
>
>
>
>On 1/24/11 11:30 AM, "DeMattia, Edmond G." <email@hidden>
>wrote:
>
>> Specifically, how did you get the 4 character sets to be required?
>>That's
>> what I'm looking for.
>>
>> Thanks
>>
>> On 1/24/11 2:21 PM, "Matthew Smith" <email@hidden> wrote:
>>
>>> You can do a "man pwpolicy" from terminal to see all the options. I'm
>>> not sure if all of them work on a standalone. I was able to get the
>>> following to work on 10.6 standalones: 14-char requirement, 1 upper, 1
>>> lower, 1 number, 1 symbol. Didn't mess with the expiration, so I don't
>>> know if that works on standalones.
>>>
>>> Matthew
>>>
>>> On Jan 24, 2011, at 11:15 AM, Valentine, Ruth Ann B. wrote:
>>>
>>>> Use pwpolicy to set each user:
>>>>
>>>> Sudo pwpolicy -a adminname -u username -setpolicy "minChars=12"
>>>>
>>>> I have not got a local machine to take a global policy, so I wrote a
>>>> little shell script to run on each user after they are created.
>>>>
>>>> You can also use newPasswordRequired=1 to force them to change the
>>>> password on their first login.
>>>>
>>>> Some of the settings tell them what policy explicitly they are not
>>>> meeting (minChars is one) others only say it doesn't meet policy, so
>>>>be
>>>> sure you are clear when you tell the user what the policy is.
>>>>
>>>> -----Original Message-----
>>>> From: fed-talk-bounces+ruthann=email@hidden
>>>> [mailto:fed-talk-bounces+ruthann=email@hidden] On Behalf
>>>>Of
>>>> DeMattia, Edmond G.
>>>> Sent: Monday, January 24, 2011 10:59 AM
>>>> To: email@hidden
>>>> Subject: [Fed-Talk] How to configure complex password requirements?
>>>>
>>>> How can I configure a 10.6 workstation that's doing local
>>>> authentication to force users to use complex passwords? I also need
>>>>to
>>>> set a minimum of 12 characters. Is there a way to do it natively?
>>>>
>>>> TIA
>>>>
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>>.e
>>> du
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
>__________________________________________________________________________
>
>This email message is for the sole use of the intended recipient(s) and
>may contain confidential information. Any unauthorized review, use,
>disclosure or distribution is prohibited. If you are not the intended
>recipient, please contact the sender by reply email and destroy all copies
>of the original message.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden