Passwords that never change present a security risk to the system. Several facilities are provided which force passwords to be revised either for individual users or for all users on the system.
This section describes additional password features that are provided by the HP Security Monitor package. These features include password expiration, password aging, password encryption and enforcing of minimum length passwords for additional security.
Expiring User Passwords |
 |
System and Account Managers can cause individual user passwords to expire using standard system commands. These facilities are the USERPASS=REQ,EXPIRED options of the :NEWUSER and :ALTUSER commands.
The syntax for the expiration parameter is as follows:
:NEWUSER username [;USERPASS=(REQ or OPT)[,EXPIRED]]
:ALTUSER username [;USERPASS=(REQ or OPT)[,EXPIRED]]
|
Once a password has been expired, the user is prompted to enter a new password the next time they log onto the sytem. After the user supplies the new password, they are prompted to enter the password a second time to ensure that the intended password was entered. If the user makes a mistake when entering the new password the second time, the system prints the message NEW PASSWORD NOT VERIFIED, and asks the user to enter the new password again. If the user is not successful after three tries, the logon process terminates, and the user must re-start the logon process. A user will not be allowed to log on until a new password is successfully entered.
The amount of time alloted for specifying a new user password is governed by the logon timer which is configured during system startup.
Global Password Expiration |
|
This feature allows the System Manager to activate automatic password expiration for all users who are required to have a password. To enable this option, the System Manager specifies a number of days (from 1 to 365) which determines how long all passwords will be valid.
The System Manager can specify a date (the current day is the default) for the expiration cycle to begin. The System Manager can also specify the number of days prior to the expiration on which the user is notified of the pending expiration.
If this feature is enabled, this absolute expiration date takes precedence over the password aging values described later.
Effects of Expired User Passwords
Expiration of a password has the following effects on users:
The global expired user password function causes the expiration only of required user passwords, regardless of whether required at the user or account level.
Required user passwords are marked for expiration at the beginning of the warning period. Thus, if a new user establishes a required password after the start of the warning period, that password is not affected by the forced expiration. Of course, it will be affected by the next forced expiration.
If a user's password has expired and the user is forced to enter a new one, it cannot be the same as the one that just expired.
When a required password expires, the new password must meet the same requirements as defined for the previous password. It must satisfy the password minimum length function, and the user password required function. (A blank password is not allowed, the password must be of a minimum length, and the password must be different from the previous one.)
Users can replace expired passwords only during interactive logon attempts. Other types of logon attempts will fail. Users should check that UDCs programs, and job streams that include logon commands, can recover from such failures.
