cancel
Showing results for 
Search instead for 
Did you mean: 

Problem changing password

SOLVED
Go to solution
wvsa
Regular Advisor

Problem changing password

Good afternoon all;

We are running 11iv3 using a shadow file and the /etc/default/secruity file. In the security file we have the following requirements for a password:

# Optional restrictions for new passwords
# PASSWORD_MIN_UPPER_CASE_CHARS=0
# PASSWORD_MIN_LOWER_CASE_CHARS=0
PASSWORD_MIN_DIGIT_CHARS=1
PASSWORD_MIN_SPECIAL_CHARS=1
# PASSWORD_MIN_SPECIAL_CHARS=2


This morning upon logging into one of our servers I was asked to change my password. Choose the following password seek@him1

The seek@him1 password produced the following message:

New password:
The password entered is not valid. Valid passwords must contain at least:
0 upper case character(s),
0 lower case character(s),
1 digit(s), and
1 special character(s).





Too many failures - try later.


In a nutshell, it never accepted the seek@him1 password, why would that be ?

thankyou for your input

Norm
9 REPLIES
Steven Schweda
Honored Contributor

Re: Problem changing password

stty -a

Is "@" a special character?

A Forum search for keywords like, say,

passwd stty

should find many old discussions of this
problem.
James R. Ferguson
Acclaimed Contributor
Solution

Re: Problem changing password

Hi Norm:

The "@" character is treated as kill (or erase the line) control. Don't use it with login passwords. See the manpages for 'getty(1M)' and 'passwd(1)' for more information.

Regards!

...JRF...
Steven Schweda
Honored Contributor

Re: Problem changing password

> The "@" character is treated as kill (or
> erase the line) control. [...]

Not everywhere. Some of us arrange for less
user-hostile behavior (and better
compatibility with every sane UNIX(-like)
system on the planet).

dyi # uname -a
HP-UX dyi B.11.31 U ia64 4235313755 unlimited-user license

dyi # stty -a
speed 9600 baud; line = 0;
rows = 0; columns = 0
min = 1; time = 0;
intr = ^C; quit = ^\; erase = DEL; kill = ^U
eof = ^D; eol = ^@; eol2 ; swtch
stop = ^S; start = ^Q; susp = ^Z; dsusp = ^Y
werase ; lnext
[...]
Bill Hassell
Honored Contributor

Re: Problem changing password

There are 2 special characters in HP-UX that cannot be used before you login. The # and @ are predefined prior to login as backspace and line cancel. While there is an obscure way to change these values, never use @ or # in a password for HP-UX and you won't have problems.

Special characters are always a problem on any system. Trying to figure out which ones will be a problem is not easy. After you login, your local profile will set # to a backspace and @ to the cancel character CTRL-u.


Bill Hassell, sysadmin
Dennis Handly
Acclaimed Contributor

Re: Problem changing password

>Bill: After you login, your local profile will set # to a backspace and @ to the cancel character CTRL-u.

A better way to say this is:
set erase to a backspace and line kill to CTRL-U.
sachit patil
Regular Advisor

Re: Problem changing password

Please Use Seek@him1.
Steven Schweda
Honored Contributor

Re: Problem changing password

> Please Use Seek@him1.

Please explain why.
wvsa
Regular Advisor

Re: Problem changing password

All;

Thank you for your responses. Sorry to say still a bit confused. Seems like I'm seeing two different opinions/options. One group saying using Seek@him1 will work. Yet as was stated the man page for passwd indicates the # and @ values are not to be used, so it seems that the seek@him1 password is not a good choice.

The other problem is what other charactors other than # and @ should we avoid. Seems like the best option is skip the special character option. Our auditors would prefer we allow special charactors. So rambling a bit what special charactors can we use in a password and how to communicate these values to the users?

Any and all input welcomed!!


Thank you


Norm
Bill Hassell
Honored Contributor

Re: Problem changing password

> seek@him1

This will never work on a standard HP-UX system as a username or a password. My comments above concerning the driver defaults apply to all versions of HP-UX going back some 20 years. For versions of HP-UX after 10.20, you can use /dev/ttyconf as a method to set new defaults for the driver. The details are explained here:

http://docs.hp.com/en/5992-6579/ch02s03.html

This will allow you to use @ and # in passwords on this particular machine. If you have just one HP-UX box in your company then this is a good solution. Otherwise, you'll need to modify /etc/inittab on all the HP-UX boxes plus remember to modify any new boxes that are put into service.

HOWEVER: most companies have more than one computer, boxes like PCs, Macs, Oracle-Solaris, AIX, Linux, and so on. Now if your auditors require different passwords on each machine, then once you find out all the limitations for special characters for each of these machines, you can create different passwords that will work on each machine.

If this sounds very complicated, you are correct. Some auditors simply do not know the impact of a requirement such as mandatory special characters. System administrators will go crazy with all the phone calls about passwords that don't work. If the auditor's rules only apply to HP-UX, then use the above example and fix all your systems.

Or be prepared to collect a list of all the forbidden characters from all the machines and then teach classes to all your users about which characters cause problems on the different machines.


Bill Hassell, sysadmin