Establishing Good Password Policies

Dru Lavigne, 17 Jan 2001

...In this week's article, I'd like to take a look at how to create a password policy on your FreeBSD system.

In order for any user to log in to a FreeBSD system, they need to have a previously created user account and know the password associated with that user account. One of the responsibilities of the system administrator is to create a password policy that is appropriate for the users of the network. When creating the password policy, you need to consider the following points:

• What is the minimum required length of passwords? For example, are blank passwords (a bad idea) allowed, or do passwords have to be at least so many characters in length?
• What characters are allowed in a password? That is, can a password contain all lowercase letters, or must they contain some combination of upper and lowercase letters, numbers, and symbols?
• What is the password expiration date, meaning, how often are users forced to change their password?
• Do you want the system to enforce password history? This means that when a user changes their password, they can't change it back to their old password or a password they've used before. This is also sometimes called password uniqueness.
• Do you want to enforce lockout, and if so, after how many bad password attempts? Lockout means that a user will no longer receive the login prompt if they mistype the password so many times during a login attempt.

Often, administrators will have a password policy for regular user accounts and a separate policy for the root user account. For example, it is common to have a password length of 6 characters for regular users, but require a password length of 11 characters for the root user account. You may decide that it is too difficult to force users to use a password that requires both uppercase characters and symbols, but may want to keep this as a requirement on the root password so it will be much more difficult to guess.

There are additional considerations when creating a password policy. When a user account is created, the password is also created by the administrator. It is recommended that users immediately change this password the first time they log in; this ensures that no one knows the user's password except that user. Users should be taught not to give their password to anyone for any reason; remember, if worst comes to worst and a user forgets their password or a user leaves and access to their resources is required, the superuser has the ability to change the user's password.

Since users are responsible for creating their own passwords, it is up to the system administrator to educate users on what does and does not constitute a good password. Being human, it is far easier to remember a password that is the same as my username, my real name, my nickname, my dog's name, etc. Unfortunately, these are all examples of bad passwords. Many articles have been written that give examples of both good and bad passwords and the reasons why creating a good password is important. Here is one such article.

Let's assume we wish to implement the following example password policy:

• Regular users have a minimum password length of 8 characters.
• The root user has a minimum password length of 11 characters.
• All users must change their password every 30 days.
• Users must have at least one non-letter character in their password.
• Lockout occurs after 5 bad login attempts.
• Password history does not allow a user to reuse any of his last 10 passwords.
• Users are not allowed to use their username as their password.

...

Original article: http://www.onlamp.com/pub/a/bsd/2001/01/17/FreeBSD_Basics.html

Our Software