1 |
With all this discussion of passwords, there's some very important |
2 |
points to be made: |
3 |
|
4 |
-- Environments where passwords are required vary widely. |
5 |
|
6 |
Some will have more computer-saavy users than others, but even |
7 |
within those environments there will undoubtedly exist an element of |
8 |
"duh". Read Computerworld's daily SharkTank for examples. |
9 |
|
10 |
-- Passwords too complex for your users to *easily* remember defeat the |
11 |
purpose of having the password. |
12 |
|
13 |
If passwords are unnecessarily complex, the user will either |
14 |
constantly forget them, causing reduced productivity at best, or write |
15 |
them down, subjecting the password to theft. In HPUX using their |
16 |
Trusted System option, the SAM program generates a 30 (*THIRTY*) |
17 |
character password for new accounts. What's the point??? There's no |
18 |
way to remember the jumble of characters that long and it's not easily |
19 |
sent to the user electronically so it must be written down and is then |
20 |
immediately subject to being stolen or just plain lost on the way back |
21 |
to their desk or whatever. |
22 |
|
23 |
-- If multiple passwords exist on multiple systems, give the user a |
24 |
mechanism to change/expire all at once. |
25 |
|
26 |
In my experience, users don't know (and shouldn't have to!) why |
27 |
and how they have different accounts to do their different tasks. |
28 |
Ideally, they should have one account with one (possibly two for extra |
29 |
security) easy-to-remember password. If not, this will confuse many |
30 |
users and make their life (and consequently, yours) more difficult. |
31 |
|
32 |
So, what to do? Glad you asked! At a DECUS (now-defunct DEC User |
33 |
group) meet back in '92, a chief security guy recommended these: |
34 |
|
35 |
1) 30 day lifetime |
36 |
2) Minimum length of 12 (eep!) |
37 |
3) No reuse of passwords (keep password history) |
38 |
4) Check password for dictionary and common variants (e.g. username) |
39 |
5) Do not use system-generated passwords |
40 |
6) Teach users to use an algorithm to generate passwords. |
41 |
|
42 |
The last one is the kicker that makes the rest easy. The guy from DEC |
43 |
said to take two of your favorite things, in his example, beer and Star |
44 |
Trek. Combine elements of the two to get your password, for example, |
45 |
"spockmiller". To meet system requirements and make the password |
46 |
incredibly more difficult to crack or guess, duplicate letters and add |
47 |
numbers: "miller23spockk". The password is now easy for the user to |
48 |
rememeber, easy for them to think of new passwords every month, and |
49 |
generally about as secure as passwords can get. Of course, I use my own |
50 |
variant on the above as an added measure of security to help discourage |
51 |
others that know this method from attempting to guess my password. :) |
52 |
|
53 |
This solution is not generally one of server management, but of user |
54 |
training. The first five items can be enforced. The last one is how to |
55 |
make it easy (easier at least) for the user to abide by those rules in |
56 |
order to help keep your data secure. |
57 |
|
58 |
Not that I know how to implement any of this in Gentoo... :) |
59 |
|
60 |
Thoughts, comments, questions? Holler! |
61 |
Rich |
62 |
|
63 |
-- |
64 |
gentoo-server@g.o mailing list |