LINUX SECURITY --- August 29, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* The first line of defense and easiest to overlook: Passwords.
*********************************************************************
Effective Password Management
By Rick Johnson
Passwords are the cornerstone of effective user security. I know what
you are thinking: "I'm an experienced computer operator who has had
hundreds of passwords throughout my computing life. What more can I
learn that life hasn't already taught me?" The answer is ... nothing. You
most likely already know what should be done; however, even the most
experienced operator can become complacent and forget to practice what
they preach.
Here is a list that should be a part of any personal or corporate
password management policy:
* Never use a word that could appear in any dictionary, including
technical, foreign, or even slang.
* Do not use anything easy to guess, such as your name, birthday, or
any word or acronym that is characteristic of you (such as the
title of your favorite book, your pet, your hobby, etc.).
* Avoid using your phone or office number, address, birthday,
anniversary or any string of numbers.
* Replace letters with special characters (for example, "!" for "I")
* Make words mixed case. Using one or two upper case characters
extends the range of possibilities by another 26.
* Choose something obscure. For instance, you might deliberately
misspell a word, use a combination of two unrelated words, or a
combination of letters and numbers.
* Change the password at least once every three months.
* Never write down your password and be cautious of who may be
looking when it is entered.
* Use different passwords on different systems. That way, if one is
compromised, the damage will be limited to that system.
As a Security Administrator, it is your job to be sure all system
accounts follow these guidelines. Taking a proactive approach is
essential to minimize the risk of an account compromise. Using a
password-cracking tool such as John the Ripper
(http://www.openwall.com/john/) will assist in finding the vulnerable
accounts before someone else does.
Another helpful tool in the war against insecure passwords is Npasswd
(http://www.utexas.edu/cc/unix/software/npasswd/). A replacement for the
passwd command, Npasswd screens new passwords to decrease the chance of
having passwords vulnerable to guessing by programs.
Passwords are the first line of defense to a network and they deserve
the same time and dedication as other areas of security. If you have not
done so lately, take a moment to educate those around you on the key
points of password management. Education now can help prevent a disaster
later.
Resources
Wristwatch will lock a PC
Wearable password said to make security more effective
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2264,00.html
The latest tidbits on security news
http://www.sunworld.com/sunworldonline/swol-08-2000/swol-0818-securityspot
s.html
Security manager's journal, week 3
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2281,00.html
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>