Data ONTAP provides several methods that you can use to ensure that the password policies for your storage system meet your company's security requirements.
When the security.passwd.rules.enable option is set to on (the default), you can manage passwords in the following ways:
The following are the default password composition rules for all accounts, including the "root" and "Administrator" accounts:
The security.passwd.rules.minimum option defaults to 8.
The security.passwd.rules.minimum.digit option defaults to 1.
The security.passwd.rules.minimum.alphabetic option defaults to 2.
By default, a password is not required to include symbol characters, but you can change the requirement by using the security.passwd.rules.minimum.symbol option.
In addition, you can use the following options to specify the minimum number of uppercase or lowercase alphabetic characters that a password must contain:
The default is 0, which does not require that a password contain uppercase characters.
The default is 0, which does not require that a password contain lowercase characters.
The password history functionality enables you to require users to create new passwords that are different from a specified number of previously used passwords, rather than simply using the same password every time. You use the security.passwd.rules.history option to specify how many unique passwords users must create before they can reuse a password.
For storage systems shipped with Data ONTAP 8.0 or later, the default value is 6. In this case, the password a user creates cannot be the same as any of that user's most recent six passwords.
For storage systems upgraded to Data ONTAP 8.0 or later from an earlier release, the setting for the security.passwd.rules.history option stays the same as before the upgrade.
The password expiration functionality enables you to require that users change their passwords before they have had the password for the specified number of days. You use the -M option of the useradmin user add or the useradmin user modify command to specify the maximum password duration for individual users. The default value is 4,294,967,295.
The password minimum age functionality (a specified minimum length of time each password stays in effect) prevents users from changing their passwords too soon, thus cycling through their previous passwords too quickly. You use the -m option of the useradmin user add or the useradmin user modify command to specify the minimum password duration for individual users. The default value is 0, which does not enforce a minimum password age.
The password lockout functionality enables you to lock out users (except the root account) after a specified number of unsuccessful login attempts. This is to prevent an unauthorized user from attempting to guess a password. You use the security.passwd.lockout.numtries option to specify the number of tries a user can make before being locked out of the system. The default value is 4,294,967,295.
The password reset requirement enables you to require that all new users (except for root) reset their passwords when they log in for the first time. Users must also reset their passwords the first time they log in after an administrator has changed their password.
You set the security.passwd.firstlogin.enable option to on to enable this requirement. The default value is off.
For more information about options that manage passwords, see the na_options(1) and na_useradmin(1) man pages.