Administering user accounts

About password restrictions

Passwords are subject to the following restrictions:

Each password must have at least PASSLENGTH characters as defined in /etc/default/passwd. PASSLENGTH must be at least 3.
Each password must contain at least two alphabetic characters and at least one numeric or special character. (In this case, alphabetic includes all uppercase and lowercase letters.)
Each password must differ from the user's login name and any reverse or circular shift of that login name. (Corresponding uppercase and lowercase letters are considered equivalent.)
A new password must differ from the old one by at least three characters.

Allowing accounts without passwords

Two parameters located in /etc/default/passwd control the existence of passwords:

PASSREQ: If set to YES, all users must have a password. Any user without a password is asked for one at the first opportunity permitted by the password expiration set for that user. (That is, users without passwords cannot change their NULL passwords if password aging is enabled for them and the minimum time before a password can be changed has not elapsed.)
MANDPASS: When set to YES, this keyword makes passwords mandatory for all logins (overriding PASSREQ).

Accounts without passwords are a major security risk.

WARNING: Removing the requirement for passwords does not delete existing passwords. The administrator must change each password as described in ``Setting or changing a user password'' using the Remove Password button or the passwd(1) command.

Disallowing password changes

To stop a user from changing their password, use this command:

passwd -n 2 -x 1 login_name

This sets the password lifetime to less than the number of days permitted between changes, thus preventing changes from being made.

Setting password length

Password length is controlled by the PASSLENGTH parameter. This can be set using the System Defaults Manager or the defadm(1M) command:

defadm passwd PASSLENGTH=value

The maximum length is 80 characters.