topic Re: finding maximum characters for password in Operating System - HP-UX

finding maximum characters for password

Jimmy Kong_1 — Thu, 25 Aug 2005 20:43:33 GMT

I'm working on HP-UX 10.20.
How do I find out the maximum number of characters for a user generated password?

Re: finding maximum characters for password

A. Clay Stephenson — Thu, 25 Aug 2005 21:09:34 GMT

If this is a trusted system then look in /tcb/files/auth/[a-z]/username. If the field u_maxlen is defined then that is the limit. If not defined then the limit defined in /tcb/files/auth/system/default is the value (u_maxlen). If this is a non-trusted system or uses NIS then 8 significant characters is the limit although more than 8 can be entered.

Re: finding maximum characters for password

Bill Hassell — Thu, 25 Aug 2005 21:10:01 GMT

Unless your system is Trusted (look for a directory: /tcb which means it is Trusted), the maximum is 8 characters. BUT it is NOT enforced so you may enter 50 characters to create the password and all characters beyond 8 are silently ignored. You may enter more than 8 characters when logging in but every character after 8 is meaningless. Fot Trusted systems, use SAM to look at the security policies.

Re: finding maximum characters for password

Adisuria Wangsadinata_1 — Thu, 25 Aug 2005 21:42:36 GMT

Hi,

You can check also the information about password on the manual page of the passwd command :

# man passwd

Hope this information can help you.

Cheers,
AW

Re: finding maximum characters for password

Jimmy Kong_1 — Thu, 25 Aug 2005 22:49:29 GMT

It is a trusted system, the limit appears to be defined in
/tcb/files/auth/system/default (u_maxlen=12). Is this for system generated password?
However, it seems NOT enforced as I can reset the password to more than 50 characters.
From what you said, "characters beyond 8 are silently ignored".
I tested that with more than 15 characters and it didn't accept the password
even though the first 8 characters are correct.
Under SAM, the security policies stated maximum password length is set to 12
but I understand this operates under system generated password
(not user generated which I'm looking into).

Re: finding maximum characters for password

Bill Hassell — Fri, 26 Aug 2005 08:02:10 GMT

You wrwote:

"
Aug 26, 2005 03:49:29 GMT N/A: Question Author
It is a trusted system, the limit appears to be defined in
/tcb/files/auth/system/default (u_maxlen=12). Is this for system generated password?"

Correct. Only for system generated passwords.

"However, it seems NOT enforced as I can reset the password to more than 50 characters."

There is a separate file for these settings. It is /etc/default/security and does not exist unless you create it. The settings that will work in this file depend entirely on your security patches. Use the man page for security (man security) to define the available keywords. For user-selected password length there are no controls. A user can enter whatever they want to use. There is a minimum password length however:

MIN_PASSWORD_LENGTH=6

You can also enforce a history (don't re-use old passwords) as well as controlling the UPPERCASE, lowercase, digts and special characters required in a user-generated password.

"From what you said, "characters beyond 8 are silently ignored".
I tested that with more than 15 characters and it didn't accept the password
even though the first 8 characters are correct."

This only applies to non-Trusted systems. Normally, no one will notice this feature until users with long passwords are converted to a Trusted system. The old password remains at 8 characters max b ut under a Trusted system, all characters entered are now significant. Therefore, the user must enter only 8 max to logon to the newly Trusted system.

"Under SAM, the security policies stated maximum password length is set to 12
but I understand this operates under system generated password
(not user generated which I'm looking into)."

Correct.