Topic: Password Security

[Tyrone C. Miles]

Is there a way to set the passwords on the system to require complex passwords and also to set them to require a change every 30 - 60 days or so?

[Bill Talcott]

You may want to think about that some more. Some research has shown that excessively complex passwords are hard to remember, so people tend to put them on a sticky note on their monitor. Likewise, forcing them to change their password often leads to less than ideal passwords too (secret1 becomes secret2, becomes secret3, etc.).

We all want good passwords, but if it's too much for users they'll actually end up creating a less secure situation...

[Tyrone Miles]

I am not worried about physical machine security so if a user puts his/her password on a piece of paper that is no big deal.

In novell and in Windows 2000 you can tell the Active Directory or NDS database to remember password combos and set the database to make sure the person changes at least 2 to 3 letters or numbers that are the same or in the same order as the last password. So if they try to use secret3 after using secret2 they will get an error and be told to change it.

I also want to lock people out if they use the wrong password on an account 3 times when trying to log into Webmail, VPN etc.  

I am more worried about VPN, Webmail and remote connections or people that may hack my network.

[Scott Smith]

> We all want good passwords, but if it's too much for users
> they'll actually end up creating a less secure situation...

Exactly. Another example of security theory failing to respect reality. Security theory is often impractical to the point of being untenable.

Passwords like "secret" or "happy" or "monday" are a little too simple, as are children's names or birthdays or other such things. Hackers can easy scan for these relatively simple choices. On the other hand, passwords like "DKipx8b3qw4" are too cryptic to be remembered by users -- they will write them down, and in a conveniently accessible location.

And let's face it, if the hacker is using a brute force approach or has a back door or decryption -- well, it really doesn't matter then does it? So we're really interested in stopping the casual snooper, and the inexperienced or lazy hacker.

Things like arbitrary two word combinations -- dogChop or fleaDish -- work well, as does sticking an arbitrary number in -- dog2Chop or flea4Dish -- or varying the punctuation -- dOgchoP or FleAdish. These passwords are drivel and will defeat most dictionary based crackers, but are simple enough for users to remember as they can be pronounced.

There are other schemes, but the key is to make it easy enough for the user to remember so they'll use it w/o writing it down.

[Tyrone Miles]

Right. My main goal right now is to get people to change them from time to time and stop them from being able to make it real close to the old one. I am not asking for NSA type security. (And in my situation I am not worried about people writing passwords down because I like I said the physical computers and areas where a person would write a password are super secure.)

Plus it would make e-smith more attractive to people on secure networs etc.

[Chris]

This may help

http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/gen-syssecured.html