Choosing Account PasswordsFeatured May 1999
The security of the Virtual Server system is assured by the use of passwords used to gain access to personal or privileged information. Since passwords play such an important role in Virtual Server security, there are many issues you should consider when choosing and using passwords.
Of the many possible avenues of attack that a malicious individual may
resort to when attacking a Virtual Server, password cracking is among
the most effective and useful. The UNIX operating system, upon which the
Virtual Server system is based, maintains a list of recognized users and
information about their passwords in a special file (or files) used as
needed for authentication purposes. The Virtual Server system stores this
information in a file named "passwd"
located in the
Many cracking techniques in popular usage today by malicious individuals
to penetrate server security involve "dictionary guessing" where computers
are used to automate a trial-and-error guessing process to discover the
correct password to an account. As a prelude to cracking activity, these
individuals will often attempt to view the
As such, knowing the contents of the
This process can be surprisingly successful. As a result you should not use weak passwords that could be feasibly listed in any dictionary, including any foreign language dictionary. Trivial permutations such as spelling a dictionary word or account name backwards, concatenating one or more dictionary words, and prefixing or suffixing dictionary words with letters or digits should also be avoided because they are among the first permutations a dedicated attacker will check. Characteristics of good passwords include sufficient length (traditional UNIX systems recognize and use the first eight characters of the password so plan on choosing passwords seven to eight characters in length), sufficient complexity (UNIX passwords are case sensitive, meaning that uppercase and lowercase letters are not the same, and they may also contain unusual characters such as punctuation characters, so plan on using strange or unusual capitalization and characters), and sufficient obscurity (never use a password that incorporates personal information about yourself that could be easily obtained).
In the book Practical
Unix Security, Simson Garfinkel and Gene Spafford offer the following
checklist of things to consider when choosing password. To be secure,
a password should NOT be any of the following:
The authors continue and state that good passwords are passwords that are difficult to guess. In general, good passwords:
· Have an illogical mix of both uppercase and
REMEMBER: Following a sensible password policy will help ensure that your Virtual Server remains the robust and secure system it should always be.