Skip to main content

6.1 Setting the Password Policy


6.1 Setting the Password Policy
Passwords have limitations such as length and character type. Those password attributes conform to rules called the password policy.
The current password policy applies to every user account that is created. For this reason, check the current password policy, and adjust the password policy as needed before creating any user account.
  1. Execute the showpasswordpolicy command to check the password policy.
XSCF> showpasswordpolicy
Mindays: 0
Maxdays: 99999
Warn: 7
Inactive: -1
Expiry: 0
Retry: 3
Difok: 3
Minlen: 9
Dcredit: 1
Ucredit: 1
Lcredit: 1
Ocredit: 1
Remember: 3
Table 6-1  Display contents of the showpasswordpolicy command
Display item Description
Mindays Minimum number of days after a password change before the next time that the password can be changed. 0 indicates that the password can be changed anytime.
Maxdays Maximum number of days that a password is valid
Warn Number of days after a password expiration warning is issued before the password actually expires
Inactive Number of days after the password expiration time before the account is locked out.
The default value is -1. The value of -1 means that the account is not locked after the password expires.
Expiry Number of days that the account remains valid
Retry Number of permitted retries to change a password
Difok Number of characters to be included in the new password but are not included in the old password
Minlen Minimum acceptable password length
Dcredit A password that contains numeric characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of numeric characters included in the password. Here, you can set the maximum value for this decrease.
Ucredit A password that contains uppercase characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of uppercase characters included in the password. Here, you can set the maximum value for this decrease.
Lcredit A password that contains lowercase characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of lowercase characters included in the password. Here, you can set the maximum value for this decrease.
Ocredit A password that contains non-alphanumeric characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of non-alphanumeric characters included in the password. Here, you can set the maximum value for this decrease.
Remember Number of passwords to be stored in the password history
  1. Execute the setpasswordpolicy command to set the password policy.
    The setpasswordpolicy command sets the password policy with the following options.
Table 6-2  setpasswordpolicy command options
Option Password policy
-n
Mindays
-M
Maxdays
-w
Warn
-i
Inactive
-e
Expiry
-y
Retry
-k
Difok
-m
Minlen
-d
Dcredit
-u
Ucredit
-l
Lcredit
-o
Ocredit
-r
Remember
  1. The example below specifies the following:
    - A retry count of up to 3

    - A password length of 6 characters or more when the password contains 2 numeric characters. A password length of 8 characters or more when the password does not contain numeric characters

    - An expiration time of 60 days

    - 15 days ahead as the start date for warnings before the password expires

    - 3 as the number of passwords to remember
XSCF> setpasswordpolicy -y 3 -m 8 -d 2 -u 0 -l 0 -o 0 -M 60 -w 15 -r 3
  1. Execute the showpasswordpolicy command, and confirm the settings.
XSCF> showpasswordpolicy
Mindays: 0
Maxdays: 60
Warn: 15
Inactive: -1
Expiry: 0
Retry: 3
Difok: 1
Minlen: 8
Dcredit: 2
Ucredit: 0
Lcredit: 0
Ocredit: 0
Remember: 3