Appendix D. Password Aging

With password aging, a user's password is valid only for a specific period of time. When the user attempts to log in after that period of time, they are forced to change their password. EnlightenDSM supports password aging for user accounts.

Two time periods are generally associated with password aging:

Both of these times are relative to the last time the password was changed. Consequently, every time the user changes their password, the expiration timer is reset.

Different operating systems may use different formats to implement password aging. The methods of storing information may differ along with the granularity of keeping time. This appendix describes two common types of password aging implementation.

Berkeley UNIX and Pre-system V.4

This password implementation uses n weeks as the unit of time. If a user changes his or her password on two consecutive days, unless these days happened to fall on two different “weeks,” the date of the last password change would be the same as the first password change. A password can be valid for a maximum of 64 weeks.

If your system supports this type of password aging, you cannot expire a user's password without first turning password aging on for that user.

System V.4

With the advent of UNIX Release 5.4, a secondary method of storing passwords was created — the shadow password file. This file also includes fields for password aging. The granularity of time for a shadow password is one day. This file is updated as a function of EnlightenDSM's user account management.