Xref: utzoo comp.unix.questions:8247 comp.misc:2800 Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!decwrl!sun!imagen!atari!portal!cup.portal.com!thad From: thad@cup.portal.com Newsgroups: comp.unix.questions,comp.misc Subject: Re: Password choices Message-ID: <7237@cup.portal.com> Date: 10 Jul 88 01:19:29 GMT References: <4387@ptsfa.PacBell.COM> Organization: The Portal System (TM) Lines: 164 XPortal-User-Id: 1.1001.2826 The following is something pertinent to your question regarding selection of passwords. Because it IS of general interest, I'm posting it; don't know if there ever was a followup, but the suggestions contained herein are good advice nonetheless. Enjoy! thad@cup.portal.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DDN-MGT-BULLETIN 18 NETWORK INFO CENTER for 13 Jan 1984 DCA DDN Program Mgmt Office (415) 859-3695 NIC@SRI-NIC Defense Data Network MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is published by the Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be obtained by FTP from the directoryat SRI-NIC [26.0.0.73 and 10.0.0.51]. ********************************************************************** INTERIM GUIDANCE FOR HOST PASSWORD DISCIPLINE (The following is issued as interim guidance with the intent of issuing permanent mandatory guidance within six months. The instructions in this Management Bulletin should be followed until superceded. Your comments, criticisms, and recommendations for improvement are welcome and should be submitted by netmail to GPARK@DDN1.) --------------- The past two years have seen an increase in the number of unauthorized accesses to ARPANET/MILNET host computers. While many of these penetrations have been relatively benign, there has also been an increase in the number of malicious attacks. In response, some host administrators have implemented effective password systems, while others have not, leaving themselves vulnerable to the hacker community. Analysis of host penetrations reported to DCA has consistently pointed to inadequate host password discipline as the primary weakness making these break-ins possible. Some examples of improper password practices which have permitted successful intrusion are: Passwords which can be logically derived from the users name, such as initials, middle names, parts of names, combinations, etc. Passwords based on proper names (relatives, States, cars, boats, ball teams, beers, etc.) Null passwords (e.g., carriage return for password). Unencrypted password files (where encryption is feasible). Unlimited password attempts permitted without disconnection. Considerable effort has been expended by DCA and by DARPA to develop an effective network access control mechanism without denying required services to legitimate users. The TAC Access Control System (TACACS) Phase 1, an outcome of this effort, becomes operational on the MILNET 17 Jan 1984 with a universal User ID and Access Code (in the TAC Herald) for familiarization purposes, and will be fully implemented February 15, 1984. TACACS is expected to effectively accomplish the task it is designed for. It must not, however, be viewed as a complete solution to the problem, since, as its name implies, it only protects against intrusion via TAC ports. It provides no protection against penetration via host backside dial-ins. TACACS is like a fence built only around the front yard. It remains the responsibility of each host to extend the fence around the backside. It is imperative that host managers examine their facilities and implement the improvements needed to correct the weaknesses discovered. A survey of hosts which do have good password discipline reveals some effective practices which can be applied elsewhere. Either of the following two options are recommended as a minimum, with Option One preferred. OPTION ONE: Discontinue the practice of allowing users to select their own passwords, and, instead, issue passwords consisting of at least 8 alphanumeric characters. If possible, passwords should be machine generated and distributed to preclude viewing by persons other than the intended recipient. Disable routines which permit the user to change his password once issued unless the changed password is also machine generated. Change and reissue passwords at least annually. It is recommended that passwords be pronounceable. OPTION TWO: Develop and implement a password filter routine which will be automatically invoked whenever a password is changed, and which will reject any unacceptable user selected password. When the password filter is implemented, require existing passwords to be changed to insure all passwords pass the test of acceptability. A password may be considered acceptable if it does not fall into any of the unacceptable password categories listed below. UNACCEPTABLE PASSWORDS: - Null passwords, i.e., carriage return for password - Passwords of less than eight characters - Passwords which can be found in the English dictionary - Proper names for passwords - Passwords which are permutations of the user's name, account number, etc. Anonymous/guest passwords, although acceptable, are discouraged on most machines. Hosts which do allow this convention must insure that adequate internal safeguards exist to limit usage to only that which is intended. Whichever of the two options above are chosen, all hosts should also implement automatic routines to provide for the following. - Provide 30 day advance notice of the password expiration date. Coupled with the notice should be a message explaining to the user the standards for password selection and the reasons for requiring strict password discipline. Upon expiration of the password the user should be allowed to log-in with the expired password, but only for the purpose of changing the password. - Encryption of password files is strongly encouraged on those machines where, in the judgement of host managers, it will produce a true gain in security. - All unsuccessful log-in attempts (Server TELNET, Server FTP, regular log-in, etc.) should be logged and periodically reviewed. If the machine is attended by an operator, the operator should be notified. A notice of unsuccessful attempts should be published to the account user at the time of the next successful log-in. - Auto-disconnect should occur after no more than three unsuccess- ful log-in attempts. This is regardless of the means of accessing the machine. It is a standing requirement that the DDN be used for official Federal Government business only. Activities operating host computers on the DDN must insure that utilization of their facilites, via the network, meets this requirement. Netwide adoption of the standards and practices requested in this bulletin will substantually reduce the susceptability of individual hosts to successful penetration by unauthorized users. Simultaneously, the opportunity for any given host to be used as an avenue into the network for penetration of other hosts will be correspondingly reduced. -------END OF MESSAGE-------