Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ukma!tut.cis.ohio-state.edu!bloom-beacon!apple!fair From: fair@Apple.COM (Erik E. Fair) Newsgroups: comp.sys.sequent,ca.unix Subject: Re: Password Aging for 4.2BSD (or DYNIX ) Message-ID: <28452@apple.Apple.COM> Date: 5 Apr 89 23:27:20 GMT References: <38996@peregrine.peregrine.com> Distribution: usa Organization: USENET Protocol Police, Western Gateway Division Lines: 39 To answer the question: I have never seen a password aging system for 4BSD. However, it would not be that hard to implement - a daemon that can itself manipulate the password file (with the appropriate locking, etc), keeps track of when all the password cryptexts were last changed (dynamic discovery of new/deleted password entries too), and at the appropriate time, it changes the shell field to a temporary shell that forces a password change and changes the shell field back again to what the user usually has. This can all be done without changing /bin/login or /etc/getty. Meta comment: all password aging system implementations I have seen to date are EVIL. They surprise you one day without any warning and FORCE you to change your password on the spot to something else (and the "better" ones remember the last few you've used, so you can'y just cycle through a list). They're generally set to surprise you FAR too frequently. This causes people to pick VERY BAD PASSWORDS. Passwords that are easy to guess. Passwords that are english words, etc. People need time to think of good passwords, and perhaps some on-line tools for testing their potential passwords again the system's password policies. A GOOD password aging system would: 1) not allow the administrator to set a period LESS than six months (so I have to change my password only twice a year). 2) Give me a week's warning by Email, 7 days, 4 days, 2 days, and the day before it forced the change on me. Obviously, if I change my password in advance of this date, it would reset the time-changed so that I would not be bothered until the next period expired. 3) I can't think of a three right now. Doubtless, I will later... Erik E. Fair apple!fair fair@apple.com