Password Aging

Password Aging

The password aging mechanism forces users to change their passwords periodically. It also prevents a user from changing a new password before a specified time interval. You can also force a user to change his or her password immediately.

Realistically, password aging forces users to adopt at least two passwords for their accounts. This is because, when password aging is enforced, most users alternate between two passwords that they find easy to remember rather than inventing new passwords every time their old ones expire. IRIX does not provide a utility that determines whether users are choosing from a set of passwords and, if so, then forces them to choose completely different passwords.

Note: Password aging is not supported for NIS entries (see passwd(4)).

Password Aging With the passwd Command

To set the maximum number of days that can elapse before a user must change his or her password, use the passwd(1) command with the following syntax:

passwd -x max  name

where max is the maximum number of days the password is valid for the user name. For example, this command forces user alice to change her password every two weeks (14 days):

passwd -x 14 alice

If you set max to 0, the user must change her password when she next logs in, but thereafter password aging is not in effect for her. If you set -x to -1, password aging is turned off immediately for that user.

You can also set the minimum time that must elapse before users are allowed to change their passwords. This is useful to prevent users from changing their passwords, then changing them back to their old passwords immediately. For example:

passwd -x 14 -n 7 ralph

This forces user ralph to change his password every fourteen days and prevents him from changing it more frequently than once every seven days. Note that if you set the minimum value greater than the maximum value, the user may not ever change his or her password.

To force users to change their passwords immediately, use the -f option. For example:

passwd -f trixie

Using Password Aging Manually

Another way to enforce password aging is to edit the /etc/passwd file and insert the appropriate information after the password fields in the desired account entries.

Password aging information is appended to the encrypted password field in the /etc/passwd file. The password aging information consists of a comma and up to four bytes (characters) in the format:

,Mmww

The meaning of these fields is as follows:

,: The comma separates the password and the aging information.
M: The Maximum duration of the password.
m: The minimum time interval before the existing password can be changed by the user.
ww: The week (counted from the beginning of 1970) when the password was last changed and two characters, ww, are used. You do not enter this information. The system automatically adds these characters to the password aging information.

All times are specified in weeks (0 through 63) by a 64-character alphabet. The following chart shows the relationship between the numerical values and character codes. Any of the character codes can be used in the four fields of the password aging information. Table 4-1 lists the password aging codes and their meanings.

Password Aging Character Codes
Character Number of Weeks
. (period) 0 (zero)
/ (slash) 1
0 through 9 2 through 11
A through Z 12 through 37
a through z 38 through 63

Password Aging Character Codes
Character	Number of Weeks
. (period)	0 (zero)
/ (slash)	1
0 through 9	2 through 11
A through Z	12 through 37
a through z	38 through 63

Two special cases apply for the character codes:

If M and m are equal to zero, the user is forced to change the password at the next login. No further password aging is then applied to that login account.
If m is greater than M, only root is able to change the password for that login account.

The following example shows the password aging information required to establish a new password every two weeks (0) and to deny changing the new password for one week (/) for user ralph:

ralph:RSOE2m.E,0/:100:1:Ralph P. Cramden:/usr/people/ralph:

After ralph's first login following the change, the system automatically adds the two-character, "last-time-changed" information to the password field:

ralph:RSOE2m.E,0/W9:100:1:Ralph P. Cramden:/usr/people/ralph:

In this example, ralph changed his password in week W9. To force ralph to change his password at the next login (and to cause this only once), you can add the code ,.. to the password field:

ralph:RSOE2m.E,..:100:1:Ralph P. Cramden:/usr/people/ralph:

After ralph changes his password, the system automatically removes the aging code (,..) from the password field. To prevent ralph from changing his password, use the code ,./. Edit the /etc/passwd file and add a comma, period, and slash to the password field:

ralph:RSOE2m.E,./:100:1:Ralph P. Cramden:/usr/people/ralph:

Now only root can change the password for the ralph account. If ralph tries to change the password, he sees the message permission denied.