How does password aging on non-trusted systems work?

Page 1 of 6

English

Search: More options

» Contact HP
i IT Resource Center n
j
k
l
m
n j All of HP (US)
k
l
m
Search knowledge base

Technical knowledge base - document

» IT Resource Center
Title: How does password aging on non-trusted systems
» Logout work?
» My profile Document ID: emr_na-c00904837-4
Submitted Date: 2007-03-20 05:00:00.0
» Search knowledge Last Modified Date: 2007-03-23 05:00:00.0
base
» Forums You may provide feedback on this document
» Patch database
» Download drivers,
software and firmware
» Warranty check
How does password aging on non-trusted systems
» Support Case Manager work?
» Software Update
Manager How does password aging on non-trusted systems work?
» Training and Education
» More maintenance and
DocId: KBAN00000715 Updated: 20011217
support options

DOCUMENT
» Online help
» Site map First, an extended passage from the passwd(4) manpage:

If the password field is null there is no password and no password is

Welcome, Trng! demanded on login. Otherwise this field consists of an encrypted
(CA1461876) password with an optional password aging subfield.

The encrypted password consists of 13 characters chosen from a 64-

character set of "digits" described below, Login can be prevented by
entering in the password field a character that is not part of the set
of digits (such as *).

The characters used to represent "digits" are . for 0, / for 1, 0

through 9 for 2 through 11, A through Z for 12 through 37, and a
through z for 38 through 63.

Password aging is put in effect for a particular user if his encrypted

password in the password file is followed by a comma and a non-null
string of characters from the above alphabet. (Such a string must be
introduced in the first instance by a superuser.) This string defines
the "age" needed to implement password aging.

UNIX keeps internal time stamps in a format with a base date of

Thursday January 1, 1970. Because of this, passwd considers the
beginning of a week to be 00:00 GMT Thursday.

The first character of the age, M, denotes the maximum number of

weeks a password is valid. A user who attempts to login after his
password expired is forced to supply a new one. The next character,
m, denotes the minimum period in weeks that must expire before the
password can be changed. The remaining two characters define the

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 2 of 6

week when the password was last changed (a null string is equivalent
to zero). M and m have numerical values in the range 0 through 63
that correspond to the 64-character set of "digits" shown above.

If m = M = 0 (derived from the string . or ..), the user is forced to

change his password next time he logs in (and the "age" disappears
from his entry in the password file). If m > M (signified, for
example, by the string ./), then only a superuser (not the user) can
change the password. Not allowing the user to ever change the
password is discouraged.

Now, another explanation:

Basically, the password expiration is encoded in four characters following the comma after the
encoded password string:

$ grep guest /etc/passwd

guest:vs574kxeh2hak,/.pI:106:20:Guest User,...

Up above, the four "password expiration" characters are "/.pI".

The first character ("/") encodes the maximum number of weeks a password is valid.

The second character (".") encodes the minimum period in weeks that must expire before the
password can be changed.

The remaining two characters ("pI") encodes the week the password was last changed.

These four "password expiration" characters are encoded as follows:

Table of Encoded Characters

.=0 6= 8 E = 16 M = 24 U = 32 c = 40 k = 48 s = 56
/=1 7= 9 F = 17 N = 25 V = 33 d = 41 l = 49 t = 57
0 = 2 8 = 10 G = 18 O = 26 W = 34 e = 42 m = 50 u = 58
1 = 3 9 = 11 H = 19 P = 27 X = 35 f = 43 n = 51 v = 59
2 = 4 A = 12 I = 20 Q = 28 Y = 36 g = 44 o = 52 w = 60
3 = 5 B = 13 J = 21 R = 29 Z = 37 h = 45 p = 53 x = 61
4 = 6 C = 14 K = 22 S = 30 a = 38 i = 46 q = 54 y = 62
5 = 7 D = 15 L = 23 T = 31 b = 39 j = 47 r = 55 z = 63

So, per this example, if the password age field is "/.pI":

Maximum number of weeks the password is valid = "/" --> "1"

Minimum weeks before the password can be changed = "." --> "0"
Week password was last changed = "pI" = "53, 20" = 53+(20*64) = "1333"

Note: per the a64l(3C) (which passwd(1) uses) manpage:

The leftmost character is the least significant digit. For example,

a0 = (38 x 64^0) + (2 x 64^1) = 166

The a64l(3C) manpage is part of the "ProgSupport.Manuals.PAUX-ENG-A-MAN"

product, located on an HP-UX CORE OS CD-ROM.

Because the least significant digit is the leftmost character for the base-64 ASCII string representing
the week the password was last changed, the succession of numbers in this format is unusual:

0 -> ..
1 -> /.
2 -> 0.
: : :
1331 -> nI
1332 -> oI
1333 -> pI
1334 -> qI

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 3 of 6

1335 -> rI
: : :
1341 -> xI
1342 -> yI
1343 -> zI
1344 -> .J
1345 -> /J
1346 -> 0J
1347 -> 1J
1348 -> 2J
: : :
4094 -> yz
4095 -> zz

This encoding only goes up to "zz", so the largest number a two character base-64 ASCII string can
represent is ('z'+64*'z' = '63'+64*'63') 4095. With about 52 weeks in a year, 4095 weeks is almost 79
years. So, 1970 + 78 years, means HP will need to come up with a new encoding by the year 2048.

Here is an example of manually calculating what the values would be:

# date
Wed May 2 11:15:18 PDT 2001
# at now + 1 minute < /dev/null
warning: commands will be executed using /usr/bin/sh
job 988827528.a at Wed May 2 11:18:48 2001
# at -r 988827528.a
# # Those at(1)'s were getting number of seconds from January 1, 1970
##
# echo "obase=64\n988827528 / 60 / 60 / 24 / 7" | bc
25 34
# passwd -x 5 guest
<max> argument rounded up to nearest week
# pwget -n guest
guest:SaCVF5KlZqm6c,/.WN:105:20:,,,:/home/guest:/usr/bin/sh
#

So, "25 = 'N'" and "34 = 'W'", and since the significance is inverted, the week changed is set to "WN".

A quick side note is necessary to clarify the start and end of a week. The password expiration is
stored in number of weeks since the start of the Epoch. Per the glossary(9) manpage:

Epoch The time period beginning at 0 hours, 0 minutes, 0

seconds, Coordinated Universal Time (UTC) on January 1,
1970. Increments quantify the amount of time elapsed
from the Epoch to the referenced time.

So going back to the date of January 1, 1970:

$ cal 1 1970
January 1970
S M Tu W Th F S
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

The first week of the epoch started on Thursday, and ended on Wednesday. Therefore, as related to
password expiration, every following week starts on Thursday and ends on Wednesday.
(end of quick side note)

An excised passwd(1) manpage states:

-x max Determine the maximum number of days, max, a

password can remain unchanged. The user must enter
another password after that number of days has

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 4 of 6

transpired, known as the password expiration time.

The min and max arguments are each represented in units of days.
These arguments will be rounded up to the nearest week on a nontrusted
HP-UX system.

So, if `passwd -x 1` is executed on Friday, January 5, and cal(1) shows:

January 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

The password is rounded up to be a maximum of "1 week" old. From 01/04 to 01/10, the password is
"0" weeks old. From 01/11 to 01/17, the password is still a permissable "1" week old (it has reached,
but not exceded, the maximum permissable value). Finally, on 01/18, the password will now have
reached "2" weeks old and the user must now change the password at this time.

So, even though "passwd -x 1" seems like it would expire in 1 day, in the above example, it will
actually expire in 13 days.

Also, the maximum value you can set for passwd(1)'s "- x" option is "441", which happens to be (63 *
7), which conforms to the previous information on only allowing one character to represent the
number of weeks and the largest valued character is "z", which is "63". This was determined
empirically:

# passwd -x 442
Invalid argument to option -x
# passwd -x 441
<max> argument rounded up to nearest week
Usage:
:
#

There is no way to represent expiring in 442 days with one encoded character. "442" days would be
rounded up to "64" weeks, and there is no encoded character from the above "Table of Encoded
Characters" to encode "64".

If it is desired to have a user to need to change their password weekly, set the maximum number of
weeks the password is valid to zero, so on the following week, when the password becomes one
week old, the user will now need to change it.

An interesting effect with this is if a user has a maximum of zero weeks for their password and they
change their password on Wednesday at 3:55 pm PST, ten minutes minutes later, at 4:05
their password is expired, because 00:00 GMT is 4:00 pm PST, which is the start of a new week.

The way this password expiration is quantized by weeks, the "margin of error" for when a
must be changed is +/- one week off since the last time it was changed. For a maximum of a "1" week
old password, if it was changed at 12:00 noon on Wednesday, it needs to be changed 8 days later,
next week's Thursday. However, if it was changed at 12:00 noon on Thursday, then it needs to be
changed 14 days later, in two weeks, when the password is now beyond one week old. The following
C code displays useful password expiration information:

/*
* This program is passed a valid username as an argument and
* displays password expiration information: "miximum weeks",
* "minimum weeks", "week of Epoch when the password was last
* modified", and "current week of the Epoch".
*/

#include <pwd.h>
#include <stdio.h>
#define SECONDS_PER_WEEK (60 * 60 * 24L * 7)

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 5 of 6

main() {
char user_name[1000];
struct passwd *pwd;
char maxw[1], minw[1], last[2];

printf ("Input username: ");

scanf("%s", &user_name);
if ((pwd = getpwnam(user_name)) == NULL) {
printf("\nuser '%s' not found\n\n", user_name);
exit(1);
}
if (strlen(pwd->pw_age) == NULL) {
printf("\nno password age field for user '%s'\n\n", user_name);
exit(2);
};
printf("\npassword age field : %s\n\n", pwd->pw_age);

maxw[0] = pwd->pw_age[0];
minw[0] = pwd->pw_age[1];
last[0] = pwd->pw_age[2];
last[1] = pwd->pw_age[3];

printf("maximum weeks : '%s' = %d\n", maxw, (int)a64l(maxw));

printf("minimum weeks : '%s' = %d\n", minw, (int)a64l(minw));
printf("last modified : '%s' = %d ", last, (int)a64l(last));
printf("weeks since 1970\n");
printf("\ncurrently %d weeks since 1970\n", time(0) / SECONDS_PER_WEEK);
}

Here is an example of compiling and executing the above code:

$ grep guest /etc/passwd

guest:vs574kxeh2hak,/.HN:722:20:Guest User,...
$ cc show_exp.c -o show_exp
$ show_exp
Input username: guest
password age field : /.HN
maximum weeks : '/' = 1
minimum weeks : '.' = 0
last modified : 'HN' = 1619 weeks since 1970
currently 1620 weeks since 1970
$

To review the above "last modified" ('HN') calculation (again using the "Table of Encoded
Characters"):

This indicates week : H + 64 * N

(H = 19) + 64 * (N = 25)
19 + (64 * 25)
19 + 1600
1619

So, the expiration date is week "1619".

Here is a calendar of the relevent month and some week information:

January 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

week 1619 since 1970 : 01/11/01 - 01/17/01

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010
How does password aging on non-trusted systems work? Page 6 of 6

week 1620 since 1970 : 01/18/01 - 01/24/01

week 1621 since 1970 : 01/25/01 - 01/31/01

Since the password was last modified during the 1,619th week since January 1, 1970, and the
maximum number of valid weeks is "1", that means "week 1620" is still valid, but on Thursday,
January 25, the password will expire.

Starting with HP-UX 11.00, passwd(1)'s "-s" option may also be used to view this information:

$ man passwd

-s name Display some password attributes associated with the

specified name. Superuser privilege and non-trusted
mode is required if the files repository is specified.
For nisplus, there are no restrictions.

The format of the display will be:

name status mm/dd/yy min max warn

or, if password aging information is not present

name status

where status PS=passworded; LK=locked; and NP=no

password.

$ grep guest /etc/passwd

guest:vs574kxeh2hak,/.HN:722:20:Guest User,...
$ passwd -s guest
guest PS 01/11/01 0 7

And the date "01/11/01" is the same as just previously determined, "week 1619".

Original KMine AN KBAN00000715

Printable version

Privacy statement Using this site means you accept its terms
© 2010 Hewlett-Packard Development Company, L.P.

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00904837-4&docL... 11/16/2010