How to manage passwords for security

Data ONTAP provides several methods you can use to ensure the password policies for your storage systems meet your company's security requirements.

The following are the methods you can use:

Password rules
Password rules enable you to specify rules for valid passwords. You use the security.passwd.rules options to specify password rules. For more information, see the na_options(1) man page.

Password history
Password history enables you to require users to rotate through a specified number of passwords, rather than simply using the same password every time. You use the security.passwd.rules.history option to specify password history. The default value is 0, which does not enforce this rule. For more information, see the na_options(1) man page.

Password expiration (maximum age)
Password expiration enables you to require that users change their passwords before they are a specified number of days old. You use the useradmin user add or useradmin user modify commands to set this value for individual users. The default value is 4,294,967,295. For more information, see the na_useradmin(1) man page.
Note: Before using password expiration, make sure your storage system time is set correctly. If you use password expiration before the date is set correctly, accounts could expire before or after the desired expiration date.

Password minimum age
Password minimum age prevents users from changing their passwords too quickly, thus cycling through their previous passwords too quickly. You use the useradmin user add or useradmin user modify commands to set this value for individual users. The default value is 0, which does not enforce a minimum password age. For more information, see the na_useradmin(1) man page.
Note: Before using password minimum ages, make sure your storage system time is set correctly. Changing the system time after password minimum ages have been set can lead to unexpected results.

Password lockout
Password lockout enables you to lock users out after a specified number of unsuccessful login attempts. This is to prevent an unauthorized user from attempting to guess a password. You use the security.passwd.lockout.numtries option to specify password lockout. The default value is 0, which does not enforce this rule. For more information, see the na_options(1) man page.

Changing the storage system password
You can change the storage system password, which is also the password for the root user account.
Changing a local user account password
You can change a local user account password, via a telnet session, the console, or the Remote Shell connection.
Options that manage password rules
Data ONTAP provides the options to control password rules. You can specify password requirements such as how a check for password composition is performed and what the maximum or minimum number of characters is for a password.

Parent topic: How to manage administrator access