Good password practices are critical for the following reasons:
- The most common form of attack on a corporate system is password guessing.
- On most systems, most untrusted services are protected primarily by passwords rather than more glamorous methodologies such as smart cards, bio metric systems, hand-held authentication, and so on.
- Insecure password, whether engendered by bad systems practice or bad user practice, may endanger data in breach-of-data-protection legislation, contractual obligation, or corporate policy.
CERT (Computer Emergency Response Team) states that:
“70% of all network security problems are generated by bad password“.
Passwords: Good Systems Enforcement Practice
Password enforcement is a trade-off between paranoia and practicality. The tighter the restrictions, the more pressure on the user to evade restrictions as far as possible so that he or she can get on with the job. Keep the following in mind as you set your restrictions:
- Buffers that store login keystrokes are a security risk.
- Unlimited attempts to access a passworded system should not be allowed. Limitations should also apply to dial-in access.
- Where a login attempt threshold has been set, breaches should be audited. The user should be notified at the next successful login, and encouraged to report anomalies.
- Each user should have only one account unless there’s a very good reason for making an exception.
- First-time users should receive a unique password (not a default password, least of all an easy guess such as password, abc123, or, worst of all, a null password) and be forced to change it at the first login.
- When assigning passwords, using random patterns is preferable to using the same word as the account name or using a password that derives from some other easily guessed formula.
- Passwords shouldn’t be given or changed on the strength of an unverified phone call. Ringing back to a trusted phone number or mailing to a trusted individual is better than nothing, but certainly isn’t as secure as requiring a user to report in person with verifiable identification.
- A classic password attack technique is to take advantage of an accessible /etc/passwd and play with the password field to apply guessing techniques offline. Shadow password files and dummy password files are recommended.
- Password aging is optimal, in principle. However, it pressures the user into evasive strategies, such as:
- Recycling passwords on systems that allow it. (Sometimes this strategy is just a matter of changing the password a given number of times until the system accepts the one that has just timed out.)
- Using the same password on a number of systems and changing them all at the same time. This strategy is subject to the same objection that is often made to single sign-on: breaking one password gives an intruder
- Writing the password down and leaving it somewhere accessible and therefore insecure (worst case: on a yellow stickie on the monitor).
Don’t share passwords unless there’s a formal protocol set up to allow it. More than one person sharing an account is a major threat to security (except under very controlled conditions); at the very least, it presents difficulties in tracking problems, even where no malicious intent is suspected. Unless clearance in writing has been obtained from an appropriate person (normally the system manager or equivalent for the relevant system rather than the head of a client unit), such practice may be regarded as a breach of discipline.
Other rules of thumb for good password practice include the following:
- Integrity of shared data can be compromised (through overwriting by incorrect versions, inadequate file or record locking, or accidental deletion) unless sharing is properly organized.
- The more people with access, the greater the risk of accidental or deliberate extension of access to intruders.
- The more people with access, the easier cracking the password is likely to be.
- Any breach of security on one networked computer is likely to compromise security on the whole of the network.
- Attacks on computer systems can come from inside as well as outside.
- If an attack is traced to a particular account, the holder of that account will be a prime suspect.
Be aware of the social engineering approach to cracking passwords: the quickest route to appropriating a password (especially a shared one) can be via a phone call and a bluff. Don’t disclose passwords to anyone whose identity you can’t verify, or whose right or need to know is in doubt.
Beware of any request for your password, especially one sent by mail or generated by any program, from whatever apparent source.
Here are some list of site from where you can easily check your password strength: