Creating User Passwords Within an Organization

If an organization has a large number of users, the system administrators have two basic options available to force the use of good passwords. They can create passwords for the user, or they can let users create their own passwords, while verifying the passwords are of acceptable quality.

Creating the passwords for the users ensures that the passwords are good, but it becomes a daunting task as the organization grows. It also increases the risk of users writing their passwords down.

For these reasons, most system administrators prefer to have the users create their own passwords, but actively verify that the passwords are good and, in some cases, force users to change their passwords periodically through password aging.

2.1.3.2.1. Forcing Strong Passwords

To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application passwd, which is Pluggable Authentication Modules (PAM) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the pam _cracklib.so PAM module. In Red Hat Enterprise Linux, the pam _cracklib PAM module can be used to check a password's strength against a set of rules. It can be stacked alongside other PAM modules in the password component of the/etc/pam .d/passwd file to configure a custom set of rules for user login. The pam _cracklib's routine consists of two parts:

it checks whether the password provided is found in a dictionary, and, if that's not the case, it continues with a number of additional checks. For a complete list of these checks, refer to the pam _cracklib(8) manual page.

Example 2.1. Configuring password strength-checking with pam _cracklib

To require a password with a minimum length of 8 characters, including all four classes of characters, add the following line to the password section of the /etc/pam .d/passwd file:

password required pam_cracklib.so retry=3 minlen=8 minclass=4

To set a password strength-check for consecutive or repetitive characters, add the following line to the password section of the /etc/pam .d/passwd file:

password required pam_cracklib.so retry=3 maxsequence=3 maxrepeat=3 In this example, the password entered cannot contain more than 3 consecutive characters, such as

"abcd" or "1234". Additionally, the number of identical consecutive characters is limited to 3.

Note

As these checks are not performed for the root user, he can set any password for a regular user, despite the warning messages.

Since PAM is customizable, it is possible to add more password integrity checkers, such as

pam _passwdqc (available from http://www.openwall.com/passwdqc/) or to write a new module. For a list

of available PAM modules, refer to http://uw714doc.sco.com/en/SEC_pam/pam-6.html. For more information about PAM, refer to the Managing Single Sign-On and Smart Cards guide.

The password check that is performed at the time of their creation does not discover bad passwords as effectively as running a password cracking program against the passwords.

Many password cracking programs are available that run under Red Hat Enterprise Linux, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:

John The Ripper — A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available online at

http://www.openwall.com/john/.

Crack — Perhaps the most well known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper.

Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at

http://www.ussrback.com/distributed.htm.

Warning

Always get authorization in writing before attempting to crack passwords within an organization.

2.1.3.2.2. Passphrases

Passphrases and passwords are the cornerstone to security in most of today's systems. Unfortunately, techniques such as biometrics and two-factor authentication have not yet become mainstream in many systems. If passwords are going to be used to secure a system, then the use of passphrases should be considered. Passphrases are longer than passwords and provide better protection than a password even when implemented with non-standard characters such as numbers and symbols.

2.1.3.2.3. Password Aging

Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.

There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager (system -config-users) application.

Important

Shadow passwords must be enabled to use the chage command. For more information, see the Red Hat Enterprise Linux 6 Deployment Guide.

The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command:

chage -M 90 <username>

In the above command, replace <username> with the name of the user. To disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).

For more information on the options available with the chage command, refer to the table below.

Table 2.1. chage command line options

Option Description

-d days Specifies the number of days since January 1, 1970 the password was changed.

-E date Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.

-I days Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.

-l Lists current account aging settings.

-m days Specify the minimum number of days after which the user must change passwords. If the value is 0, the password does not expire.

-M days Specify the maximum number of days for which the password is valid.

When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.

-W days Specifies the number of days before the password expiration date to warn the user.

You can also use the chage command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode:

chage <username>

The following is a sample interactive session using this command:

~]# chage juan

Changing the aging information for juan

Enter the new value, or press ENTER for the default Minimum Password Age [0]: 10

Maximum Password Age [99999]: 90

Last Password Change (YYYY-MM-DD) [2006-08-18]:

Password Expiration Warning [7]:

Password Inactive [-1]:

Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.

1. Set up an initial password. There are two common approaches to this step: you can either assign a default password, or you can use a null password.

To assign a default password, type the following at a shell prompt as root:

passwd username

To assign a null password instead, use the following command:

passwd -d username