HPlogo HP Security Monitor/iX Manager's Guide: HP 3000 MPE/iX Computer Systems > Chapter 3 Managing System Users with Passwords and Logon Restrictons

Password Aging
» 

Technical documentation

Complete book in PDF
» Feedback

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This feature allows the system manager to implement an additional level of security by requiring users to periodically change their passwords. Prompting users for new passwords after a specified period of time helps safeguard passwords against unintended disclosure and also prevents stolen passwords from remaining valid for an indefinite period of time. There are two levels of password aging:

  • One is a system wide policy that establishes aging values for all users.

  • The other establishes password aging values for individual users.

Under this scheme, each password has a pre-defined maximum life-span which progresses through three stages:

Valid

Allows users to log on to the system.

Expired

Requires user to define a new password.

Invalid

At this stage, it is too late for the user to specify a new password; only the System Manager can change the password.

Graphically, the password aging for both system wide and individual user level can be shown as:

Figure 3-1 Password Aging Life Cycle

   |------------------ maximum lifetime -------------------|

   

   |--------- valid --------- | --------- expired ---------| -- invalid --

   

   |<-- minimum -> <- warn -->|     <-- expiration -->     |

Aging values for individual users can be established only after the system wide policy is established. Once this is done, aging values for individual users can be specified as long as they don't fall outside the range established by the system wide policy. If the system wide policy is changed, aging values for any individuals which exceed the system wide range are modified to reflect the new values the next time the user logs on. Here are the password aging values which can be set:

Maximum Lifetime

The maximum lifetime range is 1 to 365 days. During this period, the password is available for authentication and may be replaced.

Minimum Lifetime

The minimum number of days a password must be kept before a user can replace it. This is also the minimum time a password can spend in the valid state unless the system or account manager intervenes. This value can be zero.

Expiration period

The maximum number of days a user password can remain in the expired state during which the user can replace the password. This value can be zero.

Warning Period

The number of days warning given to a user before their password is expired. This value can be zero.

Start date

The date on which a password life cycle begins. This field is updated whenever the password is changed. During the logon sequence, the life cycle start date and the cycle time periods are compared to determine the password's current state.

NOTE: If password aging is enabled, all existing users on the system enter the expired state so they can choose a new password. The start date is updated at the logon time when users change their password. When a new user is created after the password aging is enabled, the start date for the user is the creation date by default.


Revising Old Passwords
  		 


Encrypting Passwords  
Feedback to webmaster