Password choices

thad at cup.portal.com thad at cup.portal.com
Sun Jul 10 11:19:29 AEST 1988 

The following is something pertinent to your question regarding selection
of passwords.  Because it IS of general interest, I'm posting it; don't
know if there ever was a followup, but the suggestions contained herein
are good advice nonetheless.

Enjoy!

thad at cup.portal.com

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    DDN-MGT-BULLETIN 18                            NETWORK INFO CENTER for
    13 Jan 1984                                DCA DDN Program Mgmt Office
                                               (415) 859-3695  NIC at SRI-NIC


                        Defense   Data   Network

                          MANAGEMENT  BULLETIN

    The DDN MANAGEMENT  BULLETIN is published  by the Network  Information
    Center under DCA contract as a means of communicating official policy,
    procedures and other information of concern to management personnel at
    DDN facilities.  Back issues may be obtained by FTP from the directory
    <DDN-NEWS> at SRI-NIC  [26.0.0.73 and 10.0.0.51].
    **********************************************************************

                INTERIM GUIDANCE FOR HOST PASSWORD DISCIPLINE

    (The following  is  issued as  interim  guidance with  the  intent  of
    issuing  permanent  mandatory   guidance  within   six  months.    The
    instructions in  this Management  Bulletin  should be  followed  until
    superceded.   Your  comments,  criticisms,  and  recommendations   for
    improvement  are  welcome  and  should  be  submitted  by  netmail  to
    GPARK at DDN1.)


                             ---------------


    The past two years have seen an increase in the number of unauthorized
    accesses  to  ARPANET/MILNET  host  computers.  While  many  of  these
    penetrations have  been  relatively benign,  there  has also  been  an
    increase in the number  of malicious attacks.  In response, some  host
    administrators have  implemented  effective  password  systems,  while
    others  have  not,  leaving   themselves  vulnerable  to  the   hacker
    community.

    Analysis of host penetrations reported to DCA has consistently pointed
    to inadequate host password discipline as the primary weakness  making
    these break-ins possible. Some examples of improper password practices
    which have permitted successful intrusion are:

       Passwords which can be logically derived from the users name,  such
       as initials, middle names, parts of names, combinations, etc.

       Passwords based on  proper names (relatives,  States, cars,  boats,
       ball teams, beers, etc.)

       Null passwords (e.g., carriage return for password).

       Unencrypted password files (where encryption is feasible).

       Unlimited password attempts permitted without disconnection.

    Considerable effort has been expended by  DCA and by DARPA to  develop
    an effective network access control mechanism without denying required
    services to legitimate users.  The TAC Access Control System  (TACACS)
    Phase 1, an outcome of this effort, becomes operational on the  MILNET
    17 Jan 1984  with a  universal User  ID and  Access Code  (in the  TAC
    Herald) for familiarization  purposes, and will  be fully  implemented
    February 15, 1984.

    TACACS is expected to effectively  accomplish the task it is  designed
    for.  It must not,  however, be viewed as  a complete solution to  the
    problem,  since,  as  its  name  implies,  it  only  protects  against
    intrusion  via  TAC   ports.   It  provides   no  protection   against
    penetration via host backside dial-ins.  TACACS is like a fence  built
    only around the  front yard.   It remains the  responsibility of  each
    host to extend the fence around  the backside.  It is imperative  that
    host managers examine their facilities and implement the  improvements
    needed to correct the weaknesses discovered.

    A survey of hosts which do have good password discipline reveals  some
    effective practices  which can  be applied  elsewhere. Either  of  the
    following two options are  recommended as a  minimum, with Option  One
    preferred.

    OPTION ONE:

       Discontinue the  practice of  allowing users  to select  their  own
       passwords, and, instead, issue passwords  consisting of at least  8
       alphanumeric characters.  If possible, passwords should be  machine
       generated and distributed to preclude viewing by persons other than
       the intended recipient.  Disable routines which permit the user  to
       change his password once issued unless the changed password is also
       machine generated.  Change and reissue passwords at least annually.
       It is recommended that passwords be pronounceable.

    OPTION TWO:

       Develop and  implement  a password  filter  routine which  will  be
       automatically invoked  whenever a  password is  changed, and  which
       will reject  any unacceptable  user  selected password.   When  the
       password filter is  implemented, require existing  passwords to  be
       changed to insure all passwords pass the test of acceptability.   A
       password may be considered acceptable if it does not fall into  any
       of the unacceptable password categories listed below.

       UNACCEPTABLE PASSWORDS:

          - Null passwords, i.e., carriage return for password

          - Passwords of less than eight characters

          - Passwords which can be found in the English dictionary

          - Proper names for passwords

          - Passwords  which are permutations of the user's name,  account
            number, etc.

       Anonymous/guest passwords, although acceptable, are discouraged  on
       most machines.  Hosts  which do allow  this convention must  insure
       that adequate internal safeguards exist to limit usage to only that
       which is intended.


    Whichever of the two options above  are chosen, all hosts should  also
    implement automatic routines to provide for the following.


          - Provide 30 day advance notice of the password expiration date.
            Coupled with the notice should  be a message explaining to the
            user the standards for password selection and the reasons  for
            requiring strict password discipline.  Upon  expiration of the
            password the user should be allowed to log-in with the expired
            password, but only for the purpose of changing the password.

          - Encryption of  password files  is strongly encouraged on those
            machines  where,  in the judgement  of host managers,  it will
            produce a true gain in security.

          - All  unsuccessful log-in attempts  (Server TELNET, Server FTP,
            regular  log-in,  etc.)  should be  logged  and   periodically
            reviewed.  If  the  machine  is attended by  an operator,  the
            operator should be notified. A notice of unsuccessful attempts
            should be published  to the account user  at the  time of  the
            next successful log-in.

          - Auto-disconnect should occur after no more than three unsuccess-
            ful log-in  attempts.    This  is  regardless of the  means  of
            accessing the machine.

    It is a standing requirement that the DDN be used for official Federal
    Government business only.  Activities operating host computers on  the
    DDN must insure that utilization of their facilites, via the  network,
    meets  this  requirement.   Netwide  adoption  of  the  standards  and
    practices requested  in this  bulletin will  substantually reduce  the
    susceptability  of  individual  hosts  to  successful  penetration  by
    unauthorized users.   Simultaneously, the  opportunity for  any  given
    host to be used as an avenue into the network for penetration of other
    hosts will be correspondingly reduced.

                     -------END OF MESSAGE-------

More information about the Comp.unix.questions mailing list