| 1 |
With all this discussion of passwords, there's some very important |
| 2 |
points to be made: |
| 3 |
|
| 4 |
-- Environments where passwords are required vary widely. |
| 5 |
|
| 6 |
Some will have more computer-saavy users than others, but even |
| 7 |
within those environments there will undoubtedly exist an element of |
| 8 |
"duh". Read Computerworld's daily SharkTank for examples. |
| 9 |
|
| 10 |
-- Passwords too complex for your users to *easily* remember defeat the |
| 11 |
purpose of having the password. |
| 12 |
|
| 13 |
If passwords are unnecessarily complex, the user will either |
| 14 |
constantly forget them, causing reduced productivity at best, or write |
| 15 |
them down, subjecting the password to theft. In HPUX using their |
| 16 |
Trusted System option, the SAM program generates a 30 (*THIRTY*) |
| 17 |
character password for new accounts. What's the point??? There's no |
| 18 |
way to remember the jumble of characters that long and it's not easily |
| 19 |
sent to the user electronically so it must be written down and is then |
| 20 |
immediately subject to being stolen or just plain lost on the way back |
| 21 |
to their desk or whatever. |
| 22 |
|
| 23 |
-- If multiple passwords exist on multiple systems, give the user a |
| 24 |
mechanism to change/expire all at once. |
| 25 |
|
| 26 |
In my experience, users don't know (and shouldn't have to!) why |
| 27 |
and how they have different accounts to do their different tasks. |
| 28 |
Ideally, they should have one account with one (possibly two for extra |
| 29 |
security) easy-to-remember password. If not, this will confuse many |
| 30 |
users and make their life (and consequently, yours) more difficult. |
| 31 |
|
| 32 |
So, what to do? Glad you asked! At a DECUS (now-defunct DEC User |
| 33 |
group) meet back in '92, a chief security guy recommended these: |
| 34 |
|
| 35 |
1) 30 day lifetime |
| 36 |
2) Minimum length of 12 (eep!) |
| 37 |
3) No reuse of passwords (keep password history) |
| 38 |
4) Check password for dictionary and common variants (e.g. username) |
| 39 |
5) Do not use system-generated passwords |
| 40 |
6) Teach users to use an algorithm to generate passwords. |
| 41 |
|
| 42 |
The last one is the kicker that makes the rest easy. The guy from DEC |
| 43 |
said to take two of your favorite things, in his example, beer and Star |
| 44 |
Trek. Combine elements of the two to get your password, for example, |
| 45 |
"spockmiller". To meet system requirements and make the password |
| 46 |
incredibly more difficult to crack or guess, duplicate letters and add |
| 47 |
numbers: "miller23spockk". The password is now easy for the user to |
| 48 |
rememeber, easy for them to think of new passwords every month, and |
| 49 |
generally about as secure as passwords can get. Of course, I use my own |
| 50 |
variant on the above as an added measure of security to help discourage |
| 51 |
others that know this method from attempting to guess my password. :) |
| 52 |
|
| 53 |
This solution is not generally one of server management, but of user |
| 54 |
training. The first five items can be enforced. The last one is how to |
| 55 |
make it easy (easier at least) for the user to abide by those rules in |
| 56 |
order to help keep your data secure. |
| 57 |
|
| 58 |
Not that I know how to implement any of this in Gentoo... :) |
| 59 |
|
| 60 |
Thoughts, comments, questions? Holler! |
| 61 |
Rich |
| 62 |
|
| 63 |
-- |
| 64 |
gentoo-server@g.o mailing list |
Archives