Skip to main content

3.5.7 Checking/Changing the Password Policy


3.5.7 Checking/Changing the Password Policy
Once the password policy is set for a local user account saved in the XSCF, the password policy applies to users added later. Use the showpasswordpolicy command to check the password policy that is currently set. After checking the password policy, if you want to change it, use the setpasswordpolicy command. Execute the setpasswordpolicy command with a user account that has the useradm privilege.
The setpasswordpolicy command sets the password policy with the following options.
Table 3-9  setpasswordpolicy command options
Option Password Policy Content of Setting
-n
Mindays Minimum number of days after a password change before the next time that the password can be changed. 0 indicates that the password can be changed anytime.
-M
Maxdays Maximum number of days that a password is valid
-w
Warn Number of days after a password expiration warning is issued before the password actually expires
-i
Inactive Number of days after the password expiration time before the account is locked out
-e
Expiry Number of days that the account remains valid
-y
Retry Number of permitted retries to change a password
-k
Difok Number of characters not included in the old password but to be included in the new password
-m
Minlen Minimum acceptable password length
-d
Dcredit A password that contains numeric characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of numeric characters included in the password. Here, you can set the maximum value for this decrease.
-u
Ucredit A password that contains uppercase characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of uppercase characters included in the password. Here, you can set the maximum value for this decrease.
-l
Lcredit A password that contains lowercase characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of lowercase characters included in the password. Here, you can set the maximum value for this decrease.
-o
Ocredit A password that contains non-alphanumeric characters can be shorter than the minimum acceptable password length (Minlen). The decreased number of characters is up to the number of non-alphanumeric characters included in the password. Here, you can set the maximum value for this decrease.
-r
Remember Number of passwords to be stored in the password history
Operation Procedure
  1. Execute the showpasswordpolicy command to check the password policy.
XSCF> showpasswordpolicy
Mindays: 0
Maxdays: 90
Warn: 7
Inactive: -1
Expiry: 0
Retry: 5
Difok: 1
Minlen: 8
Dcredit: 0
Ucredit: 0
Lcredit: 0
Ocredit: 0
Remember: 4
  1. As necessary, execute the setpasswordpolicy command to change the settings of the password policy.
  1. The example below specifies the following:
  1. - A retry count of up to 3

    - A password length of 6 characters or more when the password contains 2 numeric characters. A password length of 8 characters or more when the password does not contain numeric characters

    - An expiration time of 60 days

    - 15 days ahead as the start date for warnings before the password expires

    - 3 as the number of passwords to remember
XSCF> setpasswordpolicy -y 3 -m 8 -d 2 -u 0 -l 0 -o 0 -M 60 -w 15 -r 3
  1. Execute the showpasswordpolicy command, and confirm the settings.
XSCF> showpasswordpolicy
Mindays: 0
Maxdays: 60
Warn: 15
Inactive: -1
Expiry: 0
Retry: 3
Difok: 1
Minlen: 8
Dcredit: 2
Ucredit: 0
Lcredit: 0
Ocredit: 0
Remember: 3
Note - The system password policy does not apply when a password is changed by the password command with another user specified in the user operand. When changing the password of another user, be sure to specify a password conforming to the system password policy.