Sunday, 31 August 2014

Preventing your users from choosing obvious passwords

There are two kinds of obvious passwords:

1. Dictionary words or common acronyms
2. Names or phrases that are in common use within your organisation

Fortunately there are some simple ways to prevent users making poor choices:

1. Enforce password history. This prevents a password from being re-used.

# chsec -f /etc/security/user -s default -a  <setting>=<restriction>

histsize = 4
histexpire = 26
minage = 1
maxage = 52
maxexpired = 8

2. Set password pattern restrictions e.g. a password must have at least one capital letter or number

# chsec -f /etc/security/user -s default -a  <setting>=<restriction>

logintimes =
pwdwarntime = 5
loginretries = 5
minalpha = 2
minother = 2
minlen = 8
mindiff = 4
maxrepeats = 2

3. Use a custom dictionary to prevent the use of words that are in common use in your organisation or are so common as to be easily guessed:

Create a text fileor use the standard "/usr/share/dict/words" file and create a list of banned words or terms e.g.


Set the AIX default password restrictions to check these words when a user changes their password:

# chsec -f /etc/security/user -s default -a dictionlist=/usr/share/dict/words

Once the restrictions are in place the users are then prevented from choosing a word from this list:

$ passwd
Changing password for "test"
test's Old password:
test's New password: (the password entered is “test”)
3004-335 Passwords must not match words in the dictionary.

No comments:

Post a Comment