LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-31-2004, 05:59 AM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30
Implementing password policy


Hi,
How can password policy be implemented in a company network?
What are the most important rules that must be fallowed?

Now I am thinking of the following rules:

- passwords must be greater than 8 chars (letters, numbers and special chars)
- no dictionary words

This is easy for administration passwords. But what can be done with users' passwords. How can I force windows users to change their password regularly or not to use dictionary words or to have a minimum length of the password? Is the user side of the password policy also important?


How have you implemented a password policy in your network?


ddaas
 
Old 12-31-2004, 07:03 AM   #2
amfoster
Member
 
Registered: Aug 2004
Distribution: debian, SuSE
Posts: 365

Rep: Reputation: 34
password length is defined by an entry in the
/etc/login.defs
file

Rules for passwords such as mixed numbers chars etc are all part of the
Plugable Authentication Modules (PAM)
 
Old 12-31-2004, 01:59 PM   #3
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
Here are a few password policy suggestions:

* PW's should be a minimum length, and should be case-sensitive
* PW's should contain a mix of upper and lower case letters, numbers, and special characters
* No dictionary words
* PW's cannot match the login ID. Similarly, if you know the user's real name, the PW's cannot contain either the first or last name
* PW's should expire after a reasonable amount of time. Previous PW's cannot be reused (meaning you should retain a history of say, the last 4 or 6 passwords each user used)

The trade-off when it comes to passwords is simply that a really good password would be random (eg, "eR5z4jNy+M") but which also makes it very difficult for a person to remember. Plus, if those kinds of PW's expired after say 30 or 60 days, realistically people would end up writing down the PW on paper and taping it to the PC or underneath their keyboard.

In order to overcome the "hard to remember" factor, some companies are implementing a pass-phrase rather than a password. Similarly what you could to would be to have people create a password using the first letter of a favorite quote, song lyric, or whatever. Example: "Sounds like somebody's got a case of the Mondays" becomes "SlsgacotM" which appears quite random, but should be simple for the user who selected it to remember. Good luck with it. As I said the main issue IMO is just finding the right balance between having your users adhere to good PW policies while not making them so hard to remember that people are forced to write them down in plain sight. -- J.W.
 
Old 12-31-2004, 03:02 PM   #4
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Original Poster
Rep: Reputation: 30
J.W., your answer was exactly what I was looking for.
Maybe this is the only way I can force an average user to user "Th7-jMNgb" as password instead of "11nov1980" or "bonjovi".


ddaas
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
password policy Nick Pontelando Linux - Security 9 08-15-2012 10:50 AM
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 04:30 PM
Samba System Policy, Default User Policy scooter549 Linux - General 2 02-24-2009 03:23 AM
Password Expiration Policy bspicer Linux - General 7 05-12-2007 04:26 AM
Linux Password Policy MaverickApollo Linux - Security 2 02-07-2004 07:49 AM


All times are GMT -5. The time now is 08:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration