January 23rd, 2003, 10:22 AM
Passwords and Policys
One of my jobs being a system administrator is to make sure that all our system users have STRONG passwords. The purpose of passwords are not to annoy users or make life harder, the purpose is to secure data on a computer from unauthorized access. Choosing a strong password is one of THE MOST important steps when it comes to computer security.
Making users comply with a password policy is difficult because users are free to choose their own passwords. Human nature dictates that users will prefer simple (easy to remember, guess and crack) passwords rather than strong passwords.
Passwords must be changed under any one of the following circumstances:
1 - At least every 3 months.
2 - Immediately after giving your password to someone else.
3 - As soon as possible, but at least within one day after a password has been compromised or after you suspect that a password has been compromised.
4 - If your admin tells you todo so.
When selecting a password, i HIGHLY recommend you to follow the following guidelines, as they are VITAL to a good password:
1 - Passwords must contain at least eight nonblank characters.
2 - Passwords must contain a combination of letters (preferably a mixture of upper and lowercase letters), numbers, and at least one special character within the first seven positions.
3 - Passwords must contain a nonnumeric letter or symbol in the first and last positions.
4 - Passwords must not contain the user login name.
5 - Passwords must not include the user's own or (to the best of his or her knowledge) a close friend's or relative's name, employee number, Social Security number, birthdate, telephone number, or any information about him or her that the user believes could be readily learned or guessed.
6 - Passwords must not (to the best of the user's knowledge) include common words from an English dictionary or a dictionary of another language with which the user has familiarity.
7 - Passwords must not (to the best of the user's knowledge) contain commonly used proper names, including the name of any fictional character or place.
8 - Passwords must not contain any simple pattern of letters or numbers such as "qwertyxx".
An easy solution would be the following:
Create your favourite or any sentence that you will not forget, for example:
This is my new password policy that i have to understand
So let us here take only the first letter of each word, then it will look something like this:
Now let us make it a bit more complex, by playing with uppercase letters aswell. In my example i will make every 2nd letter a capital letter.
Now add some numbers to it, again in my example i will just add the current year at the end.
Now add a few symbols to it, to make it even more secure.
Now i wanna see someone crack or guess the above password, allthough its really easy to remember. Its nothing else than :
This . is . My . new . Password . policy . That . i . Have . to . Understand . 2003 . #
I might be over exagerating here with this example, of course its way more than 8 characters, but its really secure. A simple version would be :
I must use condoms when i f***
so it look something like:
Thats also a very safe password.
And never never ever give out your passwords, or even any clue on what it could be like.
There are many more ways to endorse secure password policies in general for higher securiity, such as one time passwords or other PAM modules which are available. But those my friends is another story
I hope this helps you to secure your access a bit more than it already might be.
Good luck to everyone.
Ubuntu-: Means in African : "Im too dumb to use Slackware"