============================================================================= SA-93:04 SERT Advisory 1-Jun-1993 Guidelines For Developing A Sensible Password Policy ----------------------------------------------------------------------------- This advisory contains guidelines for developing a sensible password policy. Please feel free to extract the contents of this advisory, modify to suit local conditions, and then distribute to end users, as it is end users who are responsible in the first instance for individual account security. Without doubt, one of the most popular methods used by computer crackers to compromise a system is password stealing. By stealing your username and password an intruder can, with reduced likelihood of detection, gain access to your system, modify it for his or her own purposes and use that system as a launchpad for attacks on other systems throughout the world - and all in your name. Password protection is one of the most (if not the single most) important principles of system security. It is uniformly important for ALL users, regardless of system privileges or computer literacy. It is up to each and every individual to ensure that their password is safe - a single unsafe password can (and probably will) lead to a computer cracker violating YOUR system. Your best line of defence against attack is a secure password. A password is like a key, and any entry point that allows access by default is not secure. A bad password is like leaving your front door unlocked. Do not underestimate the ease with which your password can be stolen. There are many techniques available to do this. A simple and amazingly successful password theft technique for the cracker is password guessing (i.e. entering your username, and simply guessing what your password might be). The aim of this advisory is to thwart these attempts. How To Select A Safe Password ----------------------------- Some systems automatically (and autocratically) allocate passwords to users. Many systems, however, give the user the option of selecting his or her own password. The following guidelines should help in selecting a password which will be sufficiently robust to prevent a cracker from guessing your password in the majority of cases. There are several principles involved in selecting a safe password. These are covered below. The DO-NOTs DO NOT use simple passwords that are easy to remember and are typically not safe. Examples of such passwords are: - your userid (a common, but extremely dangerous practice); - a word which can be associated with you. For example: - your car make, model or registration number - your child's name - your street name, postcode or other address details - your medicare number - your tax file number - any of your bank account numbers; - a word which someone watching could easily spot (qwertyuiop); - any dictionary word (which a cracker with a PC and an on-line dictionary could discover by exhaustive trial); - words from other guessable word sets such as famous names, proper names, colloquial terms (in various spheres of life) and so on. It is not sufficient to include a single number in the word, or change all O's to 0's and I's or L's to 1's in the word, or to spell the word backwards. DO NOT leave your account without a password. DO NOT use your userid as your password. DO NOT use any word from a dictionary (of any language) as most forms of password attack use dictionaries as a basis for password guessing. DO NOT use birthdays, car registration numbers, room numbers, department names, machine names, locations, wife/husband's names, pet's names, children's names and so on. These may be determined as most of this information is not confidential. DO NOT use keyboard patterns, or duplicating characters such as qwerty or aabbccdd. DO NOT use the same password on multiple accounts. If you have many accounts, then do not use the same password on each account. If one is broken, then all are broken. Also, do not just change one character in the password as this may be easily spotted if one of the passwords is compromised. DO NOT allow anyone to watch while you type your password. DO NOT record your password either on-line. DO NOT write down your passwords. DO NOT tell anyone what your password is. Do not share your password with your partner, your children, your friends. Even telling your dog should be considered risky! Do not tell a person verbally, by electronic mail or by any other means. Remember: if someone has your password, they can commit criminal acts using your account! SERT staff have been alerted to several security breaches at constituent sites which have been attributed (in total or in part) to the sharing of passwords between husband and wife, parent and child, and between friends. The DOs DO use a MINIMUM (not maximum!) of 8 or more characters (system permitting). DO use mixed case wherever possible. DO NOT choose only the first letter as uppercase. (e.g. Mich37bo is not as good as MicH37Bo.) DO include at least two digits or punctuation characters. DO NOT simply replace "o" and "O" with "0", and "I", "l" or "L" with 1. (e.g. fl0pp1mp is not as good as fL0$p*Mp.) DO change passwords frequently, and DO NOT reuse old passwords. Password cracking algorithms have been around for quite a while now. By using computationally intensive processes, a password can be broken in time. Applying the techniques outlined above make the length of time required to break a password prohibitively long. However, the time required to break a password drops significantly as each letter is guessed, or other information is known about a password. Passwords should be changed regularly, so that even if a password is finally guessed, it will be long out of date. A password should never be reused. General techniques for generating safe passwords include: - using two or three short words that are unrelated; - always including some non-alphabetic, non-numeric (i.e. punctuation) characters; - deliberately misspelling; - taking the first letter from each word of a phrase (a passphrase). Note that different operating systems have different rules for the characters that one is allowed to use in a password. Some operating systems will allow any printable characters, whereas others only allow numeric and alphabetic (i.e. non-punctuation) characters. After reading all of that, you may ask "well, what is a good password? What can I use?". One technique would be to use a two or three word phrase, and replace the 1st character of the 1st word with a -1, the 2nd character of the 2nd word with a -2, etc, and uppercase every second character except punctuation. e.g. !Yc@rSm$lLs (my car smells). Another alternative might be to use the first letter from each word in a line from a song, have every third letter in upper case, and replace (aeiou) with ({}:"?). For example, 'Tie A Yellow Ribbon Round That Old Oak Tree' would convert into 't{YrrT""T'. (Rationale: 'Tie A Yellow Ribbon Round That Old Oak Tree' => 'tayrrtoot' Convert every third letter to upper case => 'taYrrTooT' Replace lower case vowels => 't{YrrT""T') Note that these examples should NOT be used as they are now published widely! You should be aware of what characters your system will accept in a password, the length required for a password, and what time period is allowed before the password will have to be changed again. You also need to be aware of the commands used to change passwords. What System Managers Can Do --------------------------- Consider using the following techniques. - Use Crack, a password cracking tool to audit existing passwords. You supply a dictionary, and a list of massaging rules. Crack then tests the encrypted password against the dictionary and rules list to see which passwords it can guess. This is only available for UNIX systems. - Consider also the use of password shadowing, which places the encrypted passwords in a non-world-readable file, not /etc/passwd (which is world-readable). Again, this is only applicable for UNIX systems. - If your system has a facility to enforce rules on minimum password content (e.g. "must include at least 1 upper case and at least 1 numeric"), then use this facility. For UNIX systems which don't have this facility, npasswd or passwd+ are good alternatives. - If your system has a facility to (a) enforce password ageing, and (b) keep a history file of passwords and disallow previous passwords, then use this facility also. - Keep passwords for system accounts distributed amongst the smallest group of people possible. Change these passwords more frequently than passwords for non-privileged accounts. - Take care with the use of facilities that are available for logins which bypass the use of passwords. For instance, on VMS systems, don't allow proxy logins for privileged accounts such as "SYSTEM". On UNIX machines, remove any .rhosts files (or /etc/hosts.equiv) with "+" signs in them. Login programs (such as /bin/login on UNIX systems) are constructed to behave in a certain way. One method used by crackers to obtain passwords is to execute a program (a trojan horse) masquerading as the login program. The trojan horse will accept your username and password, log it into a secret file, and then inform you that the combination entered was incorrect, before finally calling the real login program. The user, thinking that this was merely a typographical error, will proceed as normal unaware that his or her password has been logged for later use. This can be avoided in some cases by typing a few times before entering your username/password combination. Finally, system managers should be aware that X display managers (such as xdm) may bypass several login and system facilities such as message of the day, password ageing etcetera. Depending upon the sensitivity of your site, this may present some problems which will need resolution using more lateral methods. If you believe that your system has been compromised, contact SERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 SERT personnel answer during business hours (AEST - GMT+10:00). Security Emergency Response Team Prentice Centre The University of Queensland Australia