Password Securit y

4.1.1.1. Creating Strong Passwords

Whe n cre ating a s e cure pas s word, the us e r mus t re me mbe r that long pas s words are s tronge r than s hort and comple x one s . It is not a good ide a to cre ate a pas s word of jus t e ight characte rs , e ve n if it contains digits , s pe cial characte rs and uppe rcas e le tte rs . Pas s word cracking tools , s uch as John The Rippe r, are optimize d for bre aking s uch pas s words , which are als o hard to re me mbe r by a pe rs on.

In information the ory, e ntropy is the le ve l of unce rtainty as s ociate d with a random variable and is pre s e nte d in bits . The highe r the e ntropy value , the more s e cure the pas s word is . According to NIST SP 800-63-1, pas s words that are not pre s e nt in a dictionary compris e d of 50000 commonly s e le cte d pas s words s hould have at le as t 10 bits of e ntropy. As s uch, a pas s word that cons is ts of four random words contains around 40 bits of e ntropy. A long pas s word cons is ting of multiple words for adde d s e curity is als o calle d a passphrase, for e xample :

randomword1 randomword2 randomword3 randomword4

If the s ys te m e nforce s the us e of uppe rcas e le tte rs , digits , or s pe cial characte rs , the pas s phras e that follows the above re comme ndation can be modifie d in a s imple way, for e xample by changing the firs t characte r to uppe rcas e and appe nding "1!". Note that s uch a modification does not incre as e the s e curity of the pas s phras e s ignificantly.

Anothe r way to cre ate a pas s word yours e lf is us ing a pas s word ge ne rator. The pwmake is a command-line tool for ge ne rating random pas s words that cons is t of all four groups of characte rs – uppe rcas e , lowe rcas e , digits and s pe cial characte rs . The utility allows you to s pe cify the numbe r of e ntropy bits that are us e d to ge ne rate the pas s word. The e ntropy is pulle d from /dev/urandom. The minimum numbe r of bits you can s pe cify is 56, which is e nough for pas s words on s ys te ms and s e rvice s whe re brute force attacks are rare . 64 bits is ade quate for applications whe re the attacke r doe s not have dire ct acce s s to the pas s word has h file . For s ituations whe n the attacke r might obtain the dire ct acce s s to the pas s word has h or the pas s word is us e d as an e ncryption ke y, 80 to 128 bits s hould be us e d. If you s pe cify an invalid numbe r of e ntropy bits , pwmake will us e the de fault of bits . To cre ate a pas s word of 128 bits , run the following command:

pwmake 128

While the re are diffe re nt approache s to cre ating a s e cure pas s word, always avoid the following bad practice s :

Us ing a s ingle dictionary word, a word in a fore ign language , an inve rte d word, or only numbe rs .

Us ing le s s than 10 characte rs for a pas s word or pas s phras e . Us ing a s e que nce of ke ys from the ke yboard layout.

Writing down your pas s words .

Us ing pe rs onal information in a pas s word, s uch as birth date s , annive rs arie s , family me mbe r name s , or pe t name s .

Us ing the s ame pas s phras e or pas s word on multiple machine s .

While cre ating s e cure pas s words is impe rative , managing the m prope rly is als o important, e s pe cially for s ys te m adminis trators within large r organizations . The following s e ction de tails good practice s for cre ating and managing us e r pas s words within an organization.

4.1.1.2. Forcing Strong Passwords

If an organization has a large numbe r of us e rs , the s ys te m adminis trators have two bas ic options available to force the us e of s trong pas s words . The y can cre ate pas s words for the us e r, or the y can le t us e rs cre ate the ir own pas s words while ve rifying the pas s words are of ade quate s tre ngth.

Cre ating the pas s words for the us e rs e ns ure s that the pas s words are good, but it be come s a daunting tas k as the organization grows . It als o incre as e s the ris k of us e rs writing the ir pas s words down, thus e xpos ing the m.

For the s e re as ons , mos t s ys te m adminis trators pre fe r to have the us e rs cre ate the ir own pas s words , but active ly ve rify that the s e pas s words are s trong e nough. In s ome cas e s , adminis trators may force us e rs to change the ir pas s words pe riodically through pas s word aging.

Whe n us e rs are as ke d to cre ate or change pas s words , the y can us e the passwd

command-line utility, which is PAM-aware (Pluggable Authentication Modules) and che cks to s e e if the pas s word is too s hort or othe rwis e e as y to crack. This che cking is pe rforme d by the pam_pwquality.so PAM module .

Note

In Re d Hat Ente rpris e Linux 7, the pam_pwquality PAM module re place d

pam_cracklib, which was us e d in Re d Hat Ente rpris e Linux 6 as a de fault module for pas s word quality che cking. It us e s the s ame back e nd as pam_cracklib.

The pam_pwquality module is us e d to che ck a pas s word's s tre ngth agains t a s e t of rule s . Its proce dure cons is ts of two s te ps : firs t it che cks if the provide d pas s word is found in a dictionary. If not, it continue s with a numbe r of additional che cks . pam_pwquality is s tacke d alongs ide othe r PAM module s in the password compone nt of the

/etc/pam.d/passwd file , and the cus tom s e t of rule s is s pe cifie d in the

/etc/security/pwquality.conf configuration file . For a comple te lis t of the s e che cks , s e e the pwquality.conf (8) manual page .

Example 4.1. Co nf iguring passwo rd st rengt h-checking in pwquality.conf To e nable us ing pam_quality, add the following line to the password s tack in the /etc/pam.d/passwd file :

password required pam_pwquality.so retry=3

Options for the che cks are s pe cifie d one pe r line . For e xample , to re quire a pas s word with a minimum le ngth of 8 characte rs , including all four clas s e s of characte rs , add the following line s to the /etc/security/pwquality.conf file :

minlen=8 minclass=4

To s e t a pas s word s tre ngth-che ck for cons e cutive or re pe titive characte rs , add the following line s to /etc/security/pwquality.conf:

maxsequence=3 maxrepeat=3

In this e xample , the pas s word e nte re d cannot contain more than 3 cons e cutive

characte rs , s uch as "abcd" or "1234". Additionally, the numbe r of ide ntical cons e cutive characte rs is limite d to 3.

Note

As the root us e r is the one who e nforce s the rule s for pas s word cre ation, he can s e t any pas s word for hims e lf or for a re gular us e r, de s pite the warning me s s age s .

4.1.1.3. Conf iguring Password Aging

Pas s word aging is anothe r te chnique us e d by s ys te m adminis trators to de fe nd agains t bad pas s words within an organization. Pas s word aging me ans that afte r a s pe cifie d pe riod (us ually 90 days ), the us e r is prompte d to cre ate a ne w pas s word. The the ory be hind this is that if a us e r is force d to change his pas s word pe riodically, a cracke d pas s word is only us e ful to an intrude r for a limite d amount of time . The downs ide to pas s word aging, howe ve r, is that us e rs are more like ly to write the ir pas s words down.

To s pe cify pas s word aging unde r Re d Hat Ente rpris e Linux 7, make us e of the chage command.

Important

In Re d Hat Ente rpris e Linux 7, s hadow pas s words are e nable d by de fault. For more information, s e e the Re d Hat Ente rpris e Linux 7 Sys te m Adminis trator's Guide.

The -M option of the chage command s pe cifie s the maximum numbe r of days the pas s word is valid. For e xample , to s e t a us e r's pas s word to e xpire in 90 days , us e the following command:

chage -M 90 <username>

In the above command, re place <username> with the name of the us e r. To dis able pas s word e xpiration, it is traditional to us e a value of 99999 afte r the -M option (this e quate s to a little ove r 273 ye ars ).

For more information on the options available with the chage command, s e e the table be low.

T able 4.1. chage co mmand line o pt io ns

Opt io n Descript io n

-d days Spe cifie s the numbe r of days s ince January 1, 1970 the pas s word was change d.

-E date Spe cifie s the date on which the account is locke d, in the format YYYY-MM-DD. Ins te ad of the date , the numbe r of days s ince January 1, 1970 can als o be us e d.

-I days Spe cifie s the numbe r of inactive days afte r the pas s word e xpiration be fore locking the account. If the value is 0, the account is not locke d afte r the pas s word e xpire s .

-l Lis ts curre nt account aging s e ttings .

-m days Spe cify the minimum numbe r of days afte r which the us e r mus t change pas s words . If the value is 0, the pas s word doe s not e xpire .

-M days Spe cify the maximum numbe r of days for which the

pas s word is valid. Whe n the numbe r of days s pe cifie d by this option plus the numbe r of days s pe cifie d with the -d option is le s s than the curre nt day, the us e r mus t change pas s words be fore us ing the account.

-W days Spe cifie s the numbe r of days be fore the pas s word e xpiration date to warn the us e r.

You can als o us e the chage command in inte ractive mode to modify multiple pas s word aging and account de tails . Us e the following command to e nte r inte ractive mode :

chage <username>

The following is a s ample inte ractive s e s s ion us ing this command:

~]# chage juan

Changing the aging information for juan

Enter the new value, or press ENTER for the default Minimum Password Age [0]: 10

Maximum Password Age [99999]: 90

Last Password Change (YYYY-MM-DD) [2006-08-18]:

Password Expiration Warning [7]:

Password Inactive [-1]:

Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

You can configure a pas s word to e xpire the firs t time a us e r logs in. This force s us e rs to change pas s words imme diate ly.

1. Se t up an initial pas s word. The re are two common approache s to this s te p: you can e ithe r as s ign a de fault pas s word, or you can us e a null pas s word.

To as s ign a de fault pas s word, type the following at a s he ll prompt as root:

passwd username

To as s ign a null pas s word ins te ad, us e the following command:

passwd -d username

Warning

Us ing a null pas s word, while conve nie nt, is a highly ins e cure practice , as any third party can log in firs t and acce s s the s ys te m us ing the ins e cure

us e rname . Avoid us ing null pas s words whe re ve r pos s ible . If it is not pos s ible , always make s ure that the us e r is re ady to log in be fore unlocking an account with a null pas s word.

2. Force imme diate pas s word e xpiration by running the following command as root:

chage -d 0 username

This command s e ts the value for the date the pas s word was las t change d to the e poch (January 1, 1970). This value force s imme diate pas s word e xpiration no matte r what pas s word aging policy, if any, is in place .

Upon the initial log in, the us e r is now prompte d for a ne w pas s word.