use trivial words; any word that can be found in a dictionary, names of pets or children, birthdays, user IDs, or any other information about the user that can be easily discovered (or stored in the directory itself), is a poor choice for a password.

A good password should contain a combination of letters, numbers, and special characters. For the sake of convenience, however, users often use passwords that are easy to remember. Consequently, some enterprises choose to set passwords for users that meet the criteria of a strong password, and do not allow users to change their passwords.

There are two disadvantages to having administrators set passwords for users:

It requires a substantial amount of an administrator's time.

Because administrator-specified passwords are typically more difficult to remember, users are more likely to write their password down, increasing the risk of discovery.

By default, user-defined passwords are allowed.

8.6.2.3Password expiration

The password policy can allow users can use the same passwords indefinitely or specify that passwords expire after a given time. In general, the longer a password is in use, the more likely it is to be discovered. If passwords expire too often, however, users may have trouble remembering them and resort to writing their passwords down. A common policy is to have passwords expire every 30 to 90 days.

The server remembers the password expiration specification even if password expiration is disabled. If the password expiration is re-enabled, passwords are valid only for the duration set before it was last disabled.

For example, if the password policy is set for passwords to expire every 90 days, then password expiration is disabled and re-enabled, the default password expiration duration is 90 days.

By default, user passwords never expire.

8.6.2.4Expiration warning

If a password expiration period is set, it is a good idea to send users a warning before their passwords expire.

The Directory Server displays the warning when the user binds to the server. If password expiration is enabled, by default, a warning is sent (via an LDAP message) to the user one day before the user's password expires, provided the user's client application supports this feature.

The valid range for a password expiration warning to be sent is from one to 24,855 days.

NOTE:

The password never expires until the expiration warning has been sent.

8.6.2.5Grace login limit

A grace period for expired passwords means that users can still log in to the system, even if their password has expired. To allow some users to log in using an expired password, specify the number of grace login attempts that are allowed to a user after the password has expired.

By default, grace logins are not permitted.

8.6.2.6Password syntax checking

Password syntax checking enforces rules for password strings, so that any password has to meet or exceed certain criteria. All password syntax checking can be applied globally, per subtree, or per user. Password syntax checking is set in the passwordCheckSyntax attribute.

114 Designing a secure directory