Easy things users can do to improve security: Recommendations of "best practices" for securing individual user's accounts.


Disclaimer: The recommendations expressed here represent the current understanding of "best practices" by the authors and contributors. The recommendations are not claimed to be comprehensive or complete or even necessarily correct in all circumstances. This page is continually "Under Construction" and will change and expand.

Disclaimer: The recommendations expressed here are primarily intended to apply to individual user's accounts under ordinary circumstances. Anyone with special circumstances or setting up special services should seek further expert guidance.

Last modified by: Mark O. Kaletka, kaletka@fnal.gov,on 8/14/98.


Passwords

All user accounts must have passwords, since the password is a means to authenticate the identity of the person using an account as the authorized user and to prevent misuse by unauthorized users.

For the same reason -- the password authenticates the identity of the authorized user. Furthermore, the authorized user will be held responsible for misuse of the account if the password is shared.

Passwords based on personal information easily obtained from the net -- such as account name, actual first or last name, initials of the name, system name, etc. -- are extremely easy to guess and should never be used. Hackers are also on to all the usual tricks, such as spelling a name backwards or simple substituion of characters. Certain easily-guessed words are also commonly used as (poor) passwords -- such as "guest", "password", "secret", etc. -- and should never be used as passwords.

Hackers also have easy access to very powerful password-cracking tools incorporating extensive word and name dictionaries. Passwords should never be dictionary words or names. The cracking tools will also check for simple tricks like words spelled backwards or simple substitution of certain characters (i.e. "mouse" becomes "m0us3"). Pass phrases of several words are often OK, as long as the combination is not too obviously guessable -- e.g. don't use "secret password" as a pass phrase. Here is a brief description of how password crackers work.

More secure passwords are those which are based on pass phrases and/or non-dictionary words (including "nonsense" words), combined with obscure character substitutions. These can be extremely difficult to either guess or crack. If your system supports machine-generated passwords, you might also consider using one. Here are some examples of good and bad passwords.

Using the maximum number of characters greatly increases the complexity of guessing or cracking passwords. Beware that only the first eight characters of a password are "significant" on most UNIX systems, although the system allows you to type longer ones.

A regular password change is a good idea, since it prevents misuse of your account without your knowledge if your password was somehow accidently (or deliberately) disclosed.

Until better technologies (or larger human brains) develop, it's understandable that users will want and need to record their passwords. This is acceptable if password lists are stored in a safe place, such as a slip of paper tucked in the wallet, a floppy disk kept in a locked personal cabinet, or a strongly encrypted file with a good encryption key. In any case, great care must be taken to safeguard the when it is used and to be sure to return it to safe storage immediately after use.

Don't leave your password on a post-it on your desk (this really happens) or written down in any other places where someone could find it. If you absolutely must write down your passwords, keep them in a secure, locked place.

Also, don't leave your passwords where others can find them electronica/ly. Never send them in email, post them to news, leave them online in a file (even in a protected directory), embed them in a script, etc.