Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
51525354555657585960
Solaris 9 Security CX-310-301 50
¾ It has become increasingly common, when choosing a password, to replace some vowels with
numerals that are similar in appearance, such as the number “1” for the letters “l” or “i”, or “3” for
“E”. Some password cracking programs look for simple replacements like this
¾ Do not use common words with a number added, like “89john32” because these are also often
included in cracking routines
¾ DO use a random pattern of numbers and letters, including some letters in UPPER case, but not
necessarily at the start of the password
¾ DO include special characters like “^”, “:”, “%”, “]”, “$” and so on as they help to make the
password harder to guess
¾ Do not use a password made up entirely of numbers (Solaris won’t actually let you do this)
¾ Make sure the password is at least 6 characters long. Only the first 8 characters are actually read
when a password is entered, so creating a password longer than 8 characters merely adds to the
user’s problem of trying to remember it
¾ Use a mnemonic phrase if you know one, and muddle up the UPPER and lower case letters as well
as replacing some with numbers, such as “1wLa5Ac”, which could be a mnemonic for “I
wandered lonely as a cloud”
¾ Do not use any passwords that have been printed as examples, such as those given in this
document because they might be added to a cracker’s list.
The items above constitute a defensive password policy in that it is designed to be extremely difficult to
crack.
Users with No Password
As a system administrator, you should regularly check for user accounts that have no password assigned.
This means that an attacker can login purely be entering the username and pressing <return> and is a huge
security risk.
Use the logins –p program to report on user accounts with no password set. As an example, the user nopass
has been configured with no password:
# logins –p
nopass 6666 staff 10
Password Aging
A password aging policy should be applied to all user accounts, so that a user has to periodically change the
password for their account. The period to select depends on the organization and on the security policy that
has been implemented, but a common option is to force a change every 28 days, but even this can lead to
users becoming fatigued by having to think of a new password every month. Every three or four months
will suit some sites more.