[colug-432] password survey

Robert Jewell bob at disclosed.org
Tue May 6 17:21:48 EDT 2014 

On Fri, May 2, 2014 at 8:30 PM, Brian <bnmille at gmail.com> wrote:

> Due to a major re-organization at work, we are reviewing and/or
> implementing some new security policies.  I personally think some of the
> proposed policies are not going to help security at all.  So I thought I
> would take a survey to see what policies/practices are in place at other
> businesses.  These are specific to UNIX/Linux systems.  Active Directory
> users need not respond.
>
> 1.  How long do your passwords need to be?  Are you required to have
> non-alphabetic characters?  How many passwords do you have to cycle through
> before you can re-use a password?  Do you have a centralized authentication
> system?  If you don't have centralized authentication, can you use the same
> password on all UNIX/Linux systems?
>

I'm very fond of the system that pam_passwdqc[1] uses. The minimum length
of password decreases with the complexity, so that if your password uses a
simple character set (all lower case, for example), it must be very long,
but if you include other character classes, it can be shorter.

An example:
password      required      pam_passwdqc.so min=disabled,30,15,10,8

The above arguments to "min":
* disables the use of only one character class
* requires 30 characters if you use 2 classes
* requires 15 characters if you use "passphrases", which have their own set
of options for requiring certain numbers of words
* requires 12 if you use 3 classes
* requires 10 if you use 4 classes

I really like this because the patterns that make up a good password are
extremely varied. Some people like "complicated and completely random", and
that works. Others prefer "very long, but simple to type and remember".
 The ability to use fewer character sets are also growing more desirable as
more people type passwords on smartphones/tablets.

That said, I don't actually use it anywhere but my personal servers,
because it doesn't translate well to corporate interfaces. There I abide by
a corporate policy that works well enough: one or more upper/special, one
or more lower, more than 8, no max. (I'd make it longer if I had my
druthers, but, alas, I don't.) We also use a central auth (via LDAP and
sssd), with posix groups in LDAP, and sudo rules in LDAP. That's crucial,
as it allows us broad, easy and global control of privilege escalation, so
we _never_ have to take shortcuts, like handing out root access, or giving
somebody sudo ALL:ALL.

We're also looking at Duo for multifactor, which works really well in our
tests, but is a little expensive.

1: http://linux.die.net/man/8/pam_passwdqc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20140506/e47dcbcb/attachment.html

More information about the colug-432 mailing list