When you choose to exchange information between connected systems, you should take precautions to make sure that the exchange is secure. This is especially true for passwords.
The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hints. Password Hints can help reduce help desk calls.
For security, Password Hints are checked to make sure that they do not contain the user's actual password. However, a user could still create a Password Hint that gives too much information about the password.
To increase security when using Password Hints:
Allow access to the nsimHint attribute only on the LDAP server used for Password Self-Service.
Require that users answer Challenge Questions before receiving the Password Hint.
Remind users to create Password Hints that only they would understand. The Password Change Message in the password policy is one way to do this. See “Adding a Password Change Message” in the Password Management 3.3 Administration Guide.
If you choose not to use Password Hint at all, make sure you don't use it in any of the password policies. To prevent Password Hints from being set, you can go a step further and remove the Hint Setup gadget completely, as described in “Disabling Password Hint by Removing the Hint Gadget” in the Password Management 3.3 Administration Guide.
Challenge Questions are publicly readable, to allow unauthenticated users who have forgotten a password to authenticate another way. Requiring Challenge Questions increases the security of Forgotten Password Self-Service, because a user must prove his or her identity by giving the correct responses before receiving a forgotten password or a Password Hint, or resetting a password.
The intruder lockout setting is enforced for Challenge Questions, so the number of incorrect attempts an intruder could make is limited.
However, a user could create Challenge Questions that hold clues to the password. Remind users to create Challenge Questions and Responses that only they would understand. The Password Change Message in the password policy is one way to do this. See “Adding a Password Change Message” in the Password Management 3.3 Administration Guide.
For security, the Forgotten Password actions of E-mail password to user and Allow user to reset password are available only if you require the user to answer Challenge Questions.
A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works basically the same way as the feature previously provided for NDS Password.
If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, the password is automatically expired if you have enabled the setting to expire passwords in the password policy. The setting in the password policy is in Advanced Password Rules, named Number of days before password expires (0-365). For this particular feature, the number of days is not important, but the setting must be enabled.
You are recommended to use password-ref GCV for passwords.