Table of ContentsView in Frames

Data ONTAP options for managing password rules

Data ONTAP provides several options that you can use to manage password rules. You can specify password requirements such as how a check for password composition is performed and what the maximum or minimum number of characters a password requires.

The following Data ONTAP options enable you to manage password rules:

This option (used with the options command)... Enables you to...
security.passwd.firstlogin.​enable Specify whether the password must be changed when new users log in for the first time or when users try to log in after their password has been changed by an administrator.
The default value is off.
Note: If you enable this option, you must ensure that all groups have the login-telnet and cli-passwd* capabilities. Users in groups that do not have these capabilities cannot log in to the storage system.
security.passwd.lockout.​numtries Specify the number of allowed login attempts before a nonroot user’s account is disabled.

The default value is 4,294,967,295.

security.passwd.rules.​enable Specify whether a check for password composition is performed when new passwords are specified.

If this option is set to on, passwords are checked against the rules specified with options that begin with security.passwd.rules, and a password is rejected if it does not pass the check. If this option is set to off, the check is not performed.

The default value is on.

This option does not apply to the users "root" or "Administrator" (the NT Administrator account) if security.passwd.rules.everyone is set to off.

security.passwd.rules.​everyone Specify whether a check for password composition is performed for all users, including the users "root" and "Administrator".

If this option is set to off, the checks do not apply to "root" or "Administrator". The checks still apply to all other users unless the security.passwd.​rules.​enable option is also set to off.

For storage systems shipped with Data ONTAP 8.0 or later, The default value is on.

For storage systems upgraded from a release earlier than Data ONTAP 8.0, the setting for this option stays the same as before the upgrade.

security.passwd.rules.​history Specify the number of previous passwords that are checked against a new password to prevent repeats.

For storage systems shipped with Data ONTAP 8.0 or later, The default value is 6. In this case, the password cannot be the same as any of the last six passwords.

For storage systems upgraded from a release earlier than Data ONTAP 8.0, the setting for this option stays the same as before the upgrade.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

security.passwd.rules.​maximum Specify the maximum number of characters a password can contain.

The value of this option must not be smaller than that of security.passwd.rules.​minimum.

The default value is 256.

Note: This option can be set to a value greater than 16, but a maximum of 16 characters are used to match the password. The system ignores characters that are beyond the first 16 when checking the password against the composition rules.

Users with passwords longer than 14 characters cannot log in through the Windows interfaces. Therefore, if you are using Windows, do not set this option higher than 14.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

security.passwd.rules.​minimum Specify the minimum number of characters a password must contain.

The value of this option must not be greater than that of security.passwd.rules.​maximum.

The default value is 8.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

security.passwd.rules.​​minimum.​alphabetic Specify the minimum number of alphabetic characters a password must contain.

This number includes the required numbers of uppercase and lowercase characters, which you can set by using security.passwd.​rules.​minimum.​uppercase and security.passwd.​rules.​minimum.​​lowercase respectively.

The default value is 2.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

If this option has a value smaller than the combined value of security.passwd.​rules.​minimum.​uppercase and security.passwd.​rules.​minimum.​​lowercase, the uppercase and lowercase rules determine the required number of alphabetic characters in a password. In the following examples, the system ensures that a password contains at least two uppercase and four lowercase alphabetic characters:

options security.passwd.rules.minimum.alphabetic 0
options security.passwd.rules.minimum.uppercase 2
options security.passwd.rules.minimum.lowercase 4
options security.passwd.rules.minimum.alphabetic 3
options security.passwd.rules.minimum.uppercase 2
options security.passwd.rules.minimum.lowercase 4
security.passwd.rules.​​minimum.​digit Specify the minimum number of digit characters a password must contain. These are numbers from 0 to 9.

The default value is 1.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

security.passwd.rules.​​minimum.​lowercase Specify the minimum number of lowercase alphabetic characters ("a" to "z") that a password must contain.

The default value is 0.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

security.passwd.rules.​​minimum.​symbol Specify the minimum number of symbol characters (including white space and punctuation characters) a password must contain.

The default value is 0.

If the security.passwd.rules.enable option is set to off, this option is ignored.

security.passwd.rules.​​minimum.​uppercase Specify the minimum number of uppercase alphabetic characters ("A" to "Z") that a password must contain.

The default value is 0.

If the security.passwd.​rules.enable option is set to off, this option is ignored.

For more information about these options, see the na_options(1) man page.