Password Security

Passwords are the primary way Red Hat Linux verifies that the user logging into the system is who he claims to be. This is why password security is enormously important for protection of the user, the workstation, and the network.

For security purposes, the Red Hat Linux installation program defaults to using the Message-Digest Algorithm (MD5) and shadow passwords. It is highly recommended that you do not alter these settings.

If you deselect MD5 passwords during installation, the older Data Encryption Standard (DES) format is used. This format limits passwords to eight alphanumeric character passwords (disallowing punctuation and other special characters) and provides a modest 56-bit level of encryption.

If you deselect shadow passwords, all user passwords will be stored as a one-way hash in the world-readable file /etc/passwd. This opens up your system to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, he can view the /etc/passwd file and run any number of password cracking programs against it on his own machine. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.

Shadow passwords eliminate this type of attack by storing the password hashes in the file /etc/shadow which is readable only by the root user.

This forces a potential attacker to attempt password cracking remotely by logging into a network service on the machine, such as SSH or FTP. This sort of brute-force attack is much slower and leaves an obvious trail as hundreds of failed login attempts will appear in the log files. Of course, if the cracker starts an attack in the middle of the night and you have weak passwords, he may have gained access before dawn.

Beyond matters of format and storage is the issue of content. The single most important thing a user can do to protect his account is create a strong password, which make it less susceptible to a password cracking attack.

Creating Strong Passwords

When creating a password, it is a good idea to follow these guidelines:

Do Not Do the Following:

  • Do Not Use Only Words or Numbers — You should never use solely numbers or words in a password.

    Some examples include the following:

    • 8675309

    • juan

    • hackme

  • Do Not Use Recognizable Words — Words such as proper names, dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.

    • john1

    • DS-9

    • mentat123

  • Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is of little use.

    Some examples include the following:

    • cheguevara

    • bienvenido1

    • 1dumbKopf

  • Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.

    Some examples include the following:

    • H4X0R

    • 1337

  • Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes information such as:

    • Your name

    • The names of pets

    • The names of family members

    • Any birth dates

    • Your phone number or zip code

  • Do Not Invert Recognizable Words — Good password checkers always reverse common words, so inverting a bad password does not make it any more secure.

    Some examples include the following:

    • R0X4H

    • nauj

    • 9-DS

  • Do Not Write Down Your Password — Never store your password on paper. It is much safer to memorize it.

  • Do Not Use the Same Password For All Machines — It is important that you make separate passwords for each machine. This way if one system is compromised, all of your machines will not be immediately at risk.

Do the Following:

  • Make the Password At Least Eight Characters Long — The longer the password is, the better. If you are using MD5 passwords, it should be 15 characters long or longer. With DES passwords, use the maximum length — eight characters.

  • Mix Upper and Lower Case Letters — Red Hat Linux is case sensitive, so by mixing cases, you will enhance the strength of the password.

  • Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength.

  • Include Non-Alphanumeric Characters — Special characters such as &, $, and > can greatly improve the strength of a password.

  • Pick a Password You Can Remember — The best password in the world does you little good if you cannot remember it. So use acronyms or other mnemonic devices to aid in memorizing passwords.

With all these rules, it may seem difficult to create a password meeting all of the criteria for good passwords while avoiding the traits of a bad one. Fortunately, there are some simple steps one can take to generate a memorable, secure password.

Secure Password Creation Methodology

There are many methods people use to create secure passwords. One of the more popular methods involves acronyms. For example:

  • Think of a memorable phrase, such as:

    "over the hills and far away, to grandmothers house we go."

  • Next, turn it into an acronym (including the punctuation).

    othafa,tgmhwg.

  • Add complexity by substituting numbers and symbols for letters in the acronym. For example, substitute 7 for t and the at symbol (@) for a:

    o7h@f@,7gmhwg.

  • Add more complexity by capitalizing at least one letter, such as H.

    o7H@f@,7gmHwg.

  • Finally, do not use the example password above on any of your systems.

While creating secure passwords is imperative, managing them properly is also important, especially for system administrators within larger organizations. The next section will detail good practices for creating and managing user passwords within an organization.

Creating User Passwords Within an Organization

If there are a significant number of users in an organization, the system administrator has two basic options available to force the use of good passwords. They can create passwords for the user, or they can let the user create his own passwords, while verifying the passwords are of acceptable quality.

Creating the passwords for the users ensures that the passwords are good, but it becomes a daunting task as the organization grows. It also increases the risk of users writing their passwords down.

For these reasons, system administrators prefer to have the user create their own passwords, but actively verify that the passwords are good and, in some cases, force users to change their passwords periodically through password aging.

Forcing Strong Passwords

To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When a user is asked to create or change his password, he can use the command line application passwd, which is PAM aware and will therefore check to see if the password is easy to crack or too short in length via the pam_cracklib.so Pluggable Authentication manager (PAM) module. Since PAM is customizable, it is possible to add further password integrity checkers, such as pam_passwdqc (available from http://www.openwall.com/passwdqc/) or to write your own module. For a list of available PAM modules, see http://www.kernel.prg/pub/linux/libs/pam/modules.html. For more information about PAM, see the chapter titled Pluggable Authentication Modules (PAM) in the Official Red Hat Linux Reference Guide.

It should be noted, however, that the check performed on passwords at the time of their creation will not discover bad passwords as effectively as running a password cracking program against the passwords within the organization.

There are many password cracking programs available for Red Hat Linux, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:

  • John The Ripper — A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available at http://www.openwall.com/john/.

  • Crack — Perhaps the most well known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper. It can be found at http://www.users.dircon.co.uk/~crypto/index.html

  • Slurpie — Slurpie is similar to John The Ripper and Crack except it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools at http://www.ussrback.com/distributed.htm

WarningWarning
 

Always get authorization in writing before attempting to crack passwords within an organization.

Password Aging

Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a set amount of time, usually 90 days, the user will be prompted to come up with a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.

Their are two primary ways to enforce password aging under Red Hat Linux. you can use the command chage or the graphical application User Manager.

The -M option of the chage command specifies the maximum number of days the password is valid. So, for instance, if you want a user's password to expire in 90 days, type the following command:

chage -M 90 username

In the above command, replace username with the name of the user. If you do not want the password to expire, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).

If want to use the graphical User Manager application to create password aging policies, go to the Main Menu Button (on the Panel) => System Settings => Users & Groups or type the command redhat-config-users at a shell prompt (for example, in an XTerm or a GNOME terminal). Click on the Users tab, select the user from the user list, and click Properties from the button menu (or choose File => Properties from the pull-down menu).

Then click the Password Info tab and enter the number of days before the password expires, as shown in Figure 4-1.

Figure 4-1. User Password Info Pane

For more information on using the User Manager to do this, see the chapter titled User and Group Configuration in the Official Red Hat Linux Customization Guide.