https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756681#M753566 You don't say what HP-UX release you are running, but given that you refer to /etc/default/security I will assume it's either 11.00 or 11.11.<BR /><BR />It seems that sites have a limitless number of special requirements<BR />for passwords. A custom PAM module is probably the 'right'<BR />solution here, but has obvious support cost consequences.<BR /><BR />Although I don't have a perfect solution for you, there is one simple<BR />solution that can help meet most of your requirements. Take a look<BR />at the documetation for patch PHCO_24390, which adds a<BR />new feature. Unfortunately this isn't yet mentioned in the security(4)<BR />manual pages. Quoting from the patch documentation:<BR /><BR /> A site's security policies sometimes require new passwords<BR /> to contain specific numbers or types of characters, such as<BR /> at least two digits and at least one special character.<BR /> Resolution:<BR /> In addition to the standard password requirements,<BR /> optional entries in the file /etc/default/security specify<BR /> the minimum number of required characters of each type<BR /> (upper case characters, lower case characters, digits<BR /> and special characters) in a new password.<BR /> PASSWORD_MIN_UPPER_CASE_CHARS=N<BR /> PASSWORD_MIN_LOWER_CASE_CHARS=N<BR /> PASSWORD_MIN_DIGIT_CHARS=N<BR /> PASSWORD_MIN_SPECIAL_CHARS=N<BR /> The default value for N is 0. These parameters have<BR /> effect only when a password is changed. On untrusted<BR /> systems, these parameters do not apply to the root user.<BR /> The file /etc/default/security should be owned by root and<BR /> have 0644 permissions.<BR /> As an example, to require passwords at least 8 characters<BR /> long, composed of at least 5 upper case characters, 2<BR /> lower case characters and a digit, include the following<BR /> lines in /etc/default/security, as specified above:<BR /> PASSWORD_MIN_UPPER_CASE_CHARS=5<BR /> PASSWORD_MIN_LOWER_CASE_CHARS=2<BR /> PASSWORD_MIN_DIGIT_CHARS=1<BR /><BR /> Thu, 04 Jul 2002 11:28:42 GMT doug hosking 2002-07-04T11:28:42Z https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756677#M753562 Greetings,<BR /><BR />Our client has requested that user passwords must include 3 of the following 4 types of characters: uppercase, lowercase, numbers, and special characters. However, according to the man page for passwd, only two groups are required by default (letters and either numbers or special characters). <BR /><BR />We're running as a trusted system, and there doesn't seem to be an option in SAM. I also couldn't find an appropriate variable to add to /etc/default/security.<BR /><BR />Can I satisfy this requirement through a configuration change, or do I need a third-party tool? <BR /><BR />Thanks for your consideration...<BR /><BR />~Michael Pasquale Tue, 02 Jul 2002 19:55:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756677#M753562 Michael Pasquale 2002-07-02T19:55:30Z https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756678#M753563 Hi Michael,<BR /><BR /> Think you can do this with a PAM - Pluggable Authentication Module.<BR />You'd have to modify the std module, write one or purchase it.<BR />If you do a strings | grep password on the /usr/lib/security/libpam.unix.1 file you'll see the following in the output<BR /><BR />The password entered is not valid. Valid passwords must contain at least:<BR /><BR />So the std module IS checking - it just has to be modified to check using your restrictions.<BR />Maybe someone out there has already done so.<BR />I know there are 3rd party products that will do this.<BR /><BR />Rgds,<BR />Jeff Tue, 02 Jul 2002 20:31:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756678#M753563 Jeff Schussele 2002-07-02T20:31:15Z https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756679#M753564 Hi Michael,<BR /><BR />You can try writing a passwd wrapper for it.<BR /><BR />A rough example (you definitely need to test and finetune):<BR /><BR /># mv /usr/bin/passwd /usr/bin/passwd.bin<BR /><BR /># cat /usr/bin/passwd<BR /><BR />#!/sbin/sh<BR /><BR />stty -echo<BR />echo "New UNIX password: \c"<BR />read passwd<BR />stty echo<BR /><BR />if echo $passwd | grep [0123456789] | grep [a-zA-Z] | grep [!@#$%^&amp;*()_+|] &gt;/dev/null 2&gt;&amp;1<BR />then<BR /> echo "This password qualifies. Proceeding..."<BR /> /usr/bin/passwd.bin $passwd<BR />fi<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Wed, 03 Jul 2002 10:11:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756679#M753564 Steven Sim Kok Leong 2002-07-03T10:11:28Z https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756680#M753565 Thank you both very much!!<BR /><BR />Since enforcing such complexity is not immediately feasible (i.e., the change can't be made without additional coding/software), our client decided that this issue can wait for the time being.<BR /><BR />Thank you both for your input; I'll investigate your suggestions.<BR /><BR />Sincerely,<BR />Michael Pasquale Wed, 03 Jul 2002 14:58:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756680#M753565 Michael Pasquale 2002-07-03T14:58:37Z https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756681#M753566 You don't say what HP-UX release you are running, but given that you refer to /etc/default/security I will assume it's either 11.00 or 11.11.<BR /><BR />It seems that sites have a limitless number of special requirements<BR />for passwords. A custom PAM module is probably the 'right'<BR />solution here, but has obvious support cost consequences.<BR /><BR />Although I don't have a perfect solution for you, there is one simple<BR />solution that can help meet most of your requirements. Take a look<BR />at the documetation for patch PHCO_24390, which adds a<BR />new feature. Unfortunately this isn't yet mentioned in the security(4)<BR />manual pages. Quoting from the patch documentation:<BR /><BR /> A site's security policies sometimes require new passwords<BR /> to contain specific numbers or types of characters, such as<BR /> at least two digits and at least one special character.<BR /> Resolution:<BR /> In addition to the standard password requirements,<BR /> optional entries in the file /etc/default/security specify<BR /> the minimum number of required characters of each type<BR /> (upper case characters, lower case characters, digits<BR /> and special characters) in a new password.<BR /> PASSWORD_MIN_UPPER_CASE_CHARS=N<BR /> PASSWORD_MIN_LOWER_CASE_CHARS=N<BR /> PASSWORD_MIN_DIGIT_CHARS=N<BR /> PASSWORD_MIN_SPECIAL_CHARS=N<BR /> The default value for N is 0. These parameters have<BR /> effect only when a password is changed. On untrusted<BR /> systems, these parameters do not apply to the root user.<BR /> The file /etc/default/security should be owned by root and<BR /> have 0644 permissions.<BR /> As an example, to require passwords at least 8 characters<BR /> long, composed of at least 5 upper case characters, 2<BR /> lower case characters and a digit, include the following<BR /> lines in /etc/default/security, as specified above:<BR /> PASSWORD_MIN_UPPER_CASE_CHARS=5<BR /> PASSWORD_MIN_LOWER_CASE_CHARS=2<BR /> PASSWORD_MIN_DIGIT_CHARS=1<BR /><BR /> Thu, 04 Jul 2002 11:28:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/enforcing-more-complex-passwords/m-p/2756681#M753566 doug hosking 2002-07-04T11:28:42Z