PASSWD(C) UNIX System V
Name
passwd - change login, modem (dialup shell), filesystem, or
group password
Syntax
passwd [ -mgF ] [ -dluf ] [ -n minimum ] [ -x expiration ] [
-r retries ] [ name ]
passwd -s [ -a ] [ name ]
Description
The passwd command is used by ordinary users to:
⊕ Change or delete their own login password.
⊕ List some of the attributes that apply to their
account.
In addition, system administrators can use the passwd
command to:
⊕ Change or delete any user's login password.
⊕ Change or delete modem (dialup shell), filesystem
mount, and group passwords.
⊕ Lock or unlock any user's account.
⊕ Invalidate (lock) dialup shell, filesystem, and group
passwords.
⊕ List some of the attributes of all users, or any single
user.
⊕ Change some of the attributes of any user.
However, it is recommended that system administrators use
the sysadmsh(ADM) Accounts selection to administrate
passwords. A user is considered to be a system
administrator if they are logged in as someone who has the
auth subsystem authorization.
Choosing a good password.
Your login password is one of the most important defenses
against security breaches. If a malicious person cannot log
into a system, it is much harder for that person to steal or
tamper with your data. Hence, by choosing a hard-to-guess
password (either of your own invention or one suggested by
the system), regularly changing it, and keeping it secret,
you can foil many attacks on your system.
In general, a password should:
⊕ Consist of a mixture of upper- and lower-case letters,
digits (0 - 9), and other non-letters (such as @, *, -,
/, space, tab, and control characters).
⊕ Be changed frequently (at least once every six months
to a year, and more often as necessary).
⊕ Be different on different machines.
⊕ Be easy to remember, so you don't have to write it
down.
⊕ Be kept secret and known only by you.
Passwords should not:
⊕ Be the name of a person, place, or thing; nor should a
password be the same as any user's login name, any
machine's name, or the name of any group.
⊕ Be a correctly spelt word, street or telephone number,
ZIP or postal code; nor should a password be a birthday
or anniversary of you or anyone you know.
⊕ Be written down (anywhere! - not on paper or in a
file); nor should passwords be stored in the function
keys of a terminal or memory of an intelligent modem.
⊕ Be told to any other person (not even for use in an
``emergency''); nor should a password be kept if you
suspect someone else knows it.
Spelling a word backwards or appending a digit to a word do
not turn a poor password choice into a ``good'' password.
However, taking two or three unrelated words and combining
them with some non-letters is a reasonable way of choosing
an easy-to-remember but hard-to-crack password. On SCO
System V, passwords can be up to 80 characters long, so
nonsensical rhymes (for example) can also be used as
passwords.
User login passwords.
When passwd is used to change or delete the password for
user name, the old password (if any) is prompted for. (The
password is not displayed as it is being entered.) System
administrators are not prompted for the old password unless
they are attempting to change their own password; the
superuser is never prompted for the old password. The
passwd command can only be used to change or delete the
password for user name by system administrators and the user
authorized to change user name's password. Normally, users
are authorized to change their own password.
Depending on how the system administrator has configured the
account, the user may or may not be able to choose their own
password, or may have a password chosen for them. If they
can neither choose their own password nor have passwords
generated for them, the password cannot be changed. If the
user is able to do both, passwd asks which should be done.
A password is considered valid until it has expired.
Passwords expire if they are not changed or deleted before
the expiration time has passed. Once expired, the user is
required to change (not delete) their password the next time
they log in. If a user fails to do so before the password's
lifetime has passed, the password is considered dead and the
user's account is locked.
Once locked, the user may not log in, may not be su(C)'ed
to, and no at(C), batch(C), or cron(C) jobs for that user
may run. Only a system administrator can unlock a user with
a dead password; a new password must be assigned.
To discourage re-use of the same password, the system
administrator may set a minimum change time. After changing
or deleting a password, the password may not be changed
again (even by a system administrator) until at least that
much time has elapsed.
Passwords may be deleted (or changed to be empty) only if
the user is authorized to not have a password. Users
without passwords are not recommended. (An empty password
is prompted for when logging in, but a deleted password is
not prompted for at login.)
If a password is being changed and the user has elected (or
is forced) to choose a system-generated password, each
suggested password is printed along with a hyphenated
spelling that suggests how the password could be pronounced.
To accept a suggested password, enter the password; if
entered correctly, passwd will prompt for the suggested
password to be entered again as confirmation. To reject a
suggestion, just enter RETURN ; to abort the change
altogether, either enter ``quit'' or interrupt passwd.
If a password is being changed and the user has elected (or
is forced) to assign a password of their own choosing, the
new password is prompted for twice. It is checked for being
``obvious'' after the first prompt, and if deemed to be
acceptable is prompted for again. If the proposed password
is successfully entered a second time, it becomes the new
password for user name.
Both system-generated and self-chosen passwords are checked
for being easy-to-guess. See the section on ``Checking for
obvious passwords'' (below) for a description of the checks.
When dealing with a user's login password, the following
options are recognized:
-d Delete the password. A password may be deleted only if
the user is authorized to not have a password. System
administrators must always specify name; otherwise, the
name of the user who logged in is used.
-f Force user name to change their password the next time
they log in. This option may be specified only by
system administrators, and only when the user's
password is not being changed or deleted; name must be
explicitly given.
-l Lock user name out of the system by applying an
administrative lock; only system administrators may do
this and they must specify name.
-u Remove any administrative lock applied to user name;
only system administrators may do this and they must
specify name.
-n minimum
Set the amount of time which must elapse between
password changes for user name to minimum days. Only
system administrators may do this and they must specify
name.
-x expiration
Set the amount of time which may elapse before the
password of user name expires to expiration days. Only
system administrators may do this and they must specify
name. Once a password has expired, the user must
change it the next time they log in.
-r retries
Up to retries attempts may be made to choose a new
password for user name.
-s Report the password attributes of user name (or, if the
-a option is given, of all users). The format of the
report is:
name status mm/dd/yy minimum expiration
where status is PS if the user has a password, LK is
the user is administratively locked, or NP when the
user does not have a password. The date of the last
successful password change (or deletion) is shown as
mm/dd/yy. If neither name nor -a is specified, the
name of the user who logged in is assumed. Only system
administrators can examine the attributes of users
other than themselves.
If no -d, -f, -l, -u, or -s option is specified, the
password for user name is changed as described above. If no
name is given and no option which requires name is given,
then the name of the user who logged in is used. Only the
-a option may be specified with the -s option.
Modem (dialup shell) passwords.
When a user whose login shell is listed in /etc/d_passwd
with a (encrypted) password logs in on a terminal line
listed in /etc/dialups, the password in /etc/d_passwd must
be supplied before the login succeeds. The -m option to
password allows system administrators to change, delete, or
invalidate (lock) the passwords for login shell name:
-d Delete the password.
-l Invalidate (``lock'') the password by arranging so that
no matter what the user enters, it will not be a valid
password. Doing so causes the old password to be lost.
-r retries
Up to retries attempts may be made to choose a new
password.
The name must always be specified. If name begins with a
slash (``/'') the entire shell pathname must match.
Otherwise the password for every shell whose basename is
name is changed.
If neither the -d nor -l option is specified, the password
is changed. The new password is prompted for twice, and
must pass checks similar to those for login passwords (see
below).
Filesystem mount passwords.
A password may be required when mounting a filesystem; see
mnt(C). The -F option to passwd allows system
administrators to change, delete, or invalidate (lock) the
password for filesystem name. The options are the same as
for modem passwords (see above).
Group passwords.
A password may be required when a user changes their current
working group; see newgrp(C). The -g option to passwd
allows system administrators to change, delete, or
invalidate (lock) the password for group name. The options
are the same as for modem passwords (see above).
Checking for obvious passwords.
To discourage poor password choices, various checks are
applied to reject unacceptable passwords. The checks which
are applied depend on the type of password being checked and
the system's configuration. Most of the checks for being
easy-to-guess are configurable; see goodpw(ADM).
The check procedure is as follows (a password is restricted
if, according to sysadmsh Accounts, it is to be ``checked
for obviousness''):
1a. User login passwords only: The new password must not
be the same as the old password. The password must not
be empty (or be deleted) unless the user is not
required to have a password.
1b. All other passwords: The new and old password may be
the same. Empty passwords are treated as deleted
passwords and are always acceptable.
2. All (non-empty) passwords: If the password is not
empty, it must be at least PASSLENGTH characters long
(see below).
3. All (non-empty) passwords: If the goodpw utility can
be run, it is used to perform all further checks. If
the file CHECKDIR/type/strength exists (and can be read
by goodpw) that file is used to modify the default
settings in /etc/default/goodpw. The CHECKDIR is
specified by CHECKDIR in /etc/default/passwd and type
is the kind of password being checked (user, modem,
group, or filsys). The strength is the degree of
checking to be done: secure if the user is restricted
(or, for all other password types, if the system
default is restricted); otherwise weak.
4. When goodpw cannot be run (all passwords): If the
password is not empty, it must contain at least one
character which is not a lower case letter (but must
not consist solely of digits).
5. When goodpw cannot be run (user login passwords only):
Finally, for user login passwords which are restricted,
the password must not be a palindrome, any user's login
name, the name of any group, or a correctly spelt
English word (American spelling); see accept_pw(S).
System-generated passwords are not checked unless the user
is restricted (see above), in which case the generated
password must pass the checks in step 5 before it is
suggested to the user. Generated passwords are never
checked by goodpw. The minimum value for PASSLENGTH, and
the minimum length of a generated password, are computed
based on the password's lifetime, delay between login
attempts, and other factors; see passlen(S).
Defaults.
Several parameters may be specified in /etc/default/passwd.
The various settings, and their default values are:
PASSLENGTH=5
The minimum length of a password. If outside the range
3 to 80 (inclusive), then it is set to 5. The actual
minimum length used by passwd is the maximum of this
value and a value computed by taking into consideration
the lifetime of the password (and other factors).
RETRIES=4
The maximum number of repeated attempts to change a
password that has been rejected. If less than 2, then
2 is assumed.
ONETRY=YES
If set to YES, a rejected password is added to the
stop-list passed to goodpw. This prevents simplistic
modifications of a rejected password from being
accepted on a later attempt.
DESCRIBE=/usr/lib/goodpw/describe
The contents of this file are shown once (before the
new password is prompted for) and should describe the
the difference between acceptable and unacceptable
passwords.
SUMMARY=/usr/lib/goodpw/summary
The contents of this file are shown each time a
password is rejected, and should be a (short) reminder
of what are and are not acceptable passwords.
CHECKDIR=/usr/lib/goodpw/checks
A hierarchy of additional checks goodpw should perform,
based on password type and restrictions (see above).
GOODPW=/usr/bin/goodpw
An independent program that applies various checks in
an attempt to determine whether or not a password is
easily guessed.
The values for the default settings may be changed to
reflect the system's security concerns.
If /etc/default/passwd does not exist or is not readable,
the above default values are used.
If the DESCRIBE or SUMMARY file defined in
/etc/default/passwd does not exist or cannot be read, short
(and vague) descriptions or summaries are issued instead.
In addition, if the user who logged in is a system
administrator, an error message describing the problem is
printed.
If the GOODPW program does not exist or is not executable,
simpler checks are done (see above). In addition, if the
user who logged in is a system administrator, an error
message describing the problem is printed.
Files
/etc/passwd
List of user accounts.
/tcb/files/auth/initial/name
Protected Password database entry for user name (where
the first character in name is initial).
/etc/group
List of groups.
/etc/d_passwd
List of dialup shells and passwords (one per line):
shell:encrypted-password:reserved
where shell is the pathname of a login shell as used in
/etc/passwd.
/etc/auth/system/files
File Control database.
/etc/auth/system/default
System Defaults database; contains default parameters.
/etc/default/passwd
Configurable settings (see above).
See Also
accept_pw(S), authcap(F), authsh(ADM), default(F),
goodpw(ADM), group(F), login(M), mnt(C), newgrp(C),
passlen(S), passwd(F)
Notes
Group passwords should be avoided; see newgrp(C). Not all
systems support group passwords.
Not all systems support filesystem mount passwords.
Not all systems support modem (dialup shell) passwords.
The -r option is mostly useful during installation to force
the newly-installed superuser to have a password.
(printed 4/27/90) PASSWD(C)