security: request/require password change every X days/weeks/months

in General Discussion edited January 2014
Not sure if this is more of a MacOS X topic... but...

A feature I find annoying, but useful, on our corporate Novell Network is that every 3 months or so it tells us that we have to change our password and that we have 10 grace logins before it becomes obligatory.

Its annoying, but good practice.

Is there any way to enable such a function in OSX (via OSX Server or via 3rd party software)?


  • Reply 1 of 3
    jlljll Posts: 2,709member
    It's possible through Mac OS X Server and managed users.
  • Reply 2 of 3
    talksense101talksense101 Posts: 1,737member
    OS X 10.3 server uses OpenDirectory. This extract is from the Apple documentation of the Opendirectory administration.


    Password Policies

    Both Kerberos and Open Directory Password Server enforce password policies. For example, a user?s password policy can specify a password expiration interval. If the user is logging in and Open Directory discovers the user?s password has expired, the user must replace the expired password. Then Open Directory can authenticate the user.

    Password policies can disable a user account on a certain date, after a number of days, after a period of inac tivity, or af ter a number of failed login att empts. Password policies can also require passwords to be a minimum length, contain at least one letter, contain at least one numeral, differ from the account name, differ from recent passwords, or be changed periodically. Open DIrectory applies the same password policy rules to Open Directory Password Server and Kerberos, except that Kerberos does not support all the


    Password policies do not affect administrator accounts. Administrators are exempt from password policies because they can change the policies at will. In addition, enforcing

    password policies on administrators would subject them to denial-of-service attacks.

  • Reply 3 of 3
    gongon Posts: 2,437member
    Strong passwords are good security practice. Password strength is at odds with ease of remembering.

    Different passwords for different systems / networks are good security practice.

    Keeping things in your head, not on paper, is good security practice.

    Few people are capable of reliably remembering four or five strong passwords and inventing totally new ones every three months. This is why I hate mandatory password changing, and sort of circumvent it by recycling my random-junk passwords between systems that I consider "equally secure". I'm sure the average user, when faced with this situation, will throw his hands up and 3M the passwords on his desk, use a predictable way to generate all his passwords (as long as password strength checkers allow it), or do like I do.

    Physical tokens make sense. One-time password list on paper makes sense. I have yet to hear one good explanation for mandatory password changing when these other options exist.
Sign In or Register to comment.