Managing Password Security for Users

Selecting appropriate user passwords is always an exercise in trade-offs. A password such as password (do not laugh, it has been used too often before in the real world with devastating consequences) is just too easy to guess by an intruder as are simple words or number combinations (a street address, for example). A security auditor for one of my former employers used to take the cover sheet from an employee's personnel file (which contained the usual personal information of name, address, birth date, and so on) and then attempt to log on to a terminal with passwords constructed from that informationand often succeeded in logging on.

On the other hand, a password such as 2a56u"'F($84u&#^Hiu44ik%$([#EJD is sure to present great difficulty to an intruder (or an auditor). However, that password is so difficult to remember that it would be likely that the password owner would write that password down and tape it next to her keyboard. I worked for a business in which the entry code to one of the buildings was etched into the cigarette bin outside the door; we never found out who did this, but quickly changed the security number. This is but one of many examples of poor security in the field.

The sysadmin has control, with settings in the /etc/shadow file, over how often the password must be changed. The settings can be changed using a text editor, the change command, or a configuration tool such as Ubuntu's User Manager, as shown previously in Figure 14.1. Click on the Password Info tab under that particular user's Properties to set individual password policies.

Was this article helpful?

0 0

Post a comment