Determining Password Restrictions

Administering Your Security Environment › Modifying Your Security Environment › Determining Password Restrictions

Determining Password Restrictions

ACID passwords are assigned using the TSS CREATE command. However, the guidelines that must be followed when users change their passwords and the way in which CA Top Secret responds to password changes is determined by the NEWPW control option and its various suboptions.

The following list contains a sample of NEWPW operands along with their default values (if any):

MIN

This determines the minimum password length. The default is MIN=4.

MINDAYS

This determines the minimum number of days between password changes. The default is MINDAYS=1.

WARN

This determines the number of days prior to password expiration that the user is notified of the date the password expires. The default is WARN=3

NR

This indicates the number of repeating pairs allowed (for example, rabbit has one repeating pair-bb-while AABBCC has three) permited. The default is NR=0, or no repeating characters.

RS

This prevents the use of passwords from a restricted list. For information on how to design a list of restricted passwords, see your Implementation Guides.

RS is in effect by default.

ID

Specifies that the new password can not contain the ACID or parts of the name field. For example, John Smith whose ACID is USER01 cannot use “John,” “Smith” or “USER01” as part of his password. ID is in effect by default.

TS

Prevents user from specifying a password that is too similar to his previous password. For example “mean” would be too similar to “lean.” TS is in effect by default.

The remaining operands in this list are not in effect by default and must be explicitly specified if they are to be included:

NM

Specifies that only numbers can be used for passwords.

NO

Specifies that only MIN and MINDAYS will apply to new passwords.

NU

Specifies that users cannot change their passwords.

NV

Specifies that no vowels may be used in the new password.

RN

Specifies that new passwords will be randomly generated by CA Top Secret.

SW

Specifies that the new password must contain a national character (@,#,$,{,},|).

MASK

Dictates what type of character are accepted for each position of a password. The following values are used for a mask: .in +5

c (consonant)
v (vowel)
n (numeric)
x (non-vowel)
? (any character)

For example, MASK=cvc???n, tells CA Top Secret that all new passwords must have:

A consonant as the first character
A vowel as the second character
A consonant as the third character
Any alpha-numeric or special symbol for positions 4 to 6
A numeric for the seventh and final character

The password “MAT2B@3” would correspond to this mask.

Note: Since password masking reduces the number of allowable passwords, it is not a recommended option.