Using Passwords in NIS+

When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners.

Logging In to an NIS+ Domain

Logging in to a system is a two-step process.

How to Use Passwords

1. Type your login ID at the Login: prompt.

2. Type your password at the Password: prompt.

   (To maintain password secrecy, your password is not displayed on your screen when you type it.)

   If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.

Login incorrect Message

The Login incorrect message indicates that:

• You have entered the wrong login ID or the wrong password. This is the most common cause of the Login incorrect message. Check your spelling and repeat the process. Note that most systems limit to five the number of unsuccessful login tries you can make:

  • If you exceed a number of tries limit, you will get a Too many failures - try later message and not be allowed to try again until a designated time span has passed.

  • If you fail to successfully log in within a specified amount of time you will receive a Too many tries; try again later message, and not be allowed to try again until a designated time span has passed.

• Another possible cause of the Login incorrect message is that an administrator has locked your password and you cannot use it until it is unlocked. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.

• Another possible cause of the Login incorrect message is that an administrator has expired your password privileges and you cannot use your password until your privileges are restored. If you are sure that you are entering your login ID and password correctly, and you still get a Login incorrect message, contact your system administrator.

Password will expire Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).

In essence, this message is telling you to change your password now. (See Changing Your NIS+ Password.)

Permission denied Message at Login

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator.

Changing Your NIS+ Password

To maintain security, you should change your password regularly. (See Choosing a Password for password requirements and criteria.)

The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ name space, use passwd -r nisplus.

Changing your password is a four-step process:

How to Change Your NIS+ Password

1. Run the passwd command at a system prompt.

2. Type your old password at the Enter login password (or similar) prompt.

   Your keystrokes are not shown on your screen.

   • If you receive a Sorry: less than N days since the last change message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed.

   • If you receive a You may not change this password message, it means that your network administrator has blocked any change.

3. Type your new password at the Enter new password prompt.

   Your keystrokes are not shown on your screen.

   At this point the system checks to make sure that your new password meets the requirements:

   • If it does meet the requirements, you are asked to enter it again.

   • If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements.

   See Password Requirements for the requirements a password must meet.

4. Type your new password again at the Re-enter new password prompt.

   Your keystrokes are not shown on your screen.

   If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process.

   ---

   Note –

   When changing root's password, you must always run chkey -p immediately after changing the password. (See Changing NIS+ Root Keys From Root and Changing Root Keys From Another NIS+ Machine for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

   ---

   If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See Choosing a Password, for criteria that a new password must meet.)

   In this case, choosing a new password is a three-step process:

   1. Type your old password at the Enter login password (or similar) prompt.

      Your keystrokes are not shown on your screen.

   2. Type your new password at the Enter new password prompt.

      Your keystrokes are not shown on your screen.

   3. Type your new password again at the Re-enter new password prompt.

      Your keystrokes are not shown on your screen.

NIS+ Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.

Password Requirements

A password must meet the following requirements:

• Length. By default, a password must have at least six characters. Only the first eight characters are significant. (In other words, you can have a password that is longer than eight characters, but the system only checks the first eight.) Because the minimum length of a password can be changed by a system administrator, it may be different on your system.

• Characters. A password must contain at least two letters (either uppercase or lowercase) and at least one numeral or symbol such as @,#,%. For example, you can use dog#food or dog2food as a password, but you cannot use dogfood.

• Not your login ID. A password cannot be the same as your login ID, nor can it be a rearrangement of the letters and characters of your login ID. (For the purpose of this criteria, upper and lower case letters are considered to be the same.) For example, if your login ID is Claire2 you cannot have e2clair as your password.

• Different from old password. Your new password must differ from your old one by at least three characters. (For the purpose of this criterion, uppercase and lowercase letters are considered to be the same.) For example, if your current password is Dog#fooD you can change it to dog#Meat but you cannot change it to daT#Food.

Bad Choices for Passwords

Bad choices for passwords include:

• Any password based on your name

• Names of family members or pets

• Car license numbers

• Telephone numbers

• Social Security numbers

• Employee numbers

• Names related to a hobby or interest

• Seasonal themes, such as Santa in December

• Any word that is in a standard dictionary

Good Choices for Passwords

Good choices for passwords include:

• Phrases plus numbers or symbols (beam#meup)

• Nonsense words made up of the first letters of every word in a phrase plus a number or symbol (swotrb7 for SomeWhere Over The RainBow)

• Words with numbers, or symbols substituted for letters (sn00py for snoopy)