<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, May 2, 2014 at 8:30 PM, Brian <span dir="ltr"><<a href="mailto:bnmille@gmail.com" target="_blank">bnmille@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div>Due to a major re-organization at work, we are reviewing and/or implementing some new security policies. I personally think some of the proposed policies are not going to help security at all. So I thought I would take a survey to see what policies/practices are in place at other businesses. These are specific to UNIX/Linux systems. Active Directory users need not respond.<br>
<br></div>1. How long do your passwords need to be? Are you required to have non-alphabetic characters? How many passwords do you have to cycle through before you can re-use a password? Do you have a centralized authentication system? If you don't have centralized authentication, can you use the same password on all UNIX/Linux systems?<br>
</div></div></div></div></blockquote><div><br></div><div>I'm very fond of the system that pam_passwdqc[1] uses. The minimum length of password decreases with the complexity, so that if your password uses a simple character set (all lower case, for example), it must be very long, but if you include other character classes, it can be shorter.</div>
<div><br></div><div>An example: </div><div>password required pam_passwdqc.so min=disabled,30,15,10,8<br></div><div><br></div><div>The above arguments to "min":</div><div>* disables the use of only one character class</div>
<div>* requires 30 characters if you use 2 classes</div><div>* requires 15 characters if you use "passphrases", which have their own set of options for requiring certain numbers of words</div><div>* requires 12 if you use 3 classes</div>
<div>* requires 10 if you use 4 classes</div><div><br></div><div>I really like this because the patterns that make up a good password are extremely varied. Some people like "complicated and completely random", and that works. Others prefer "very long, but simple to type and remember". The ability to use fewer character sets are also growing more desirable as more people type passwords on smartphones/tablets. </div>
<div><br></div><div>That said, I don't actually use it anywhere but my personal servers, because it doesn't translate well to corporate interfaces. There I abide by a corporate policy that works well enough: one or more upper/special, one or more lower, more than 8, no max. (I'd make it longer if I had my druthers, but, alas, I don't.) We also use a central auth (via LDAP and sssd), with posix groups in LDAP, and sudo rules in LDAP. That's crucial, as it allows us broad, easy and global control of privilege escalation, so we _never_ have to take shortcuts, like handing out root access, or giving somebody sudo ALL:ALL.</div>
<div><br></div><div>We're also looking at Duo for multifactor, which works really well in our tests, but is a little expensive.</div><div><br></div><div>1: <a href="http://linux.die.net/man/8/pam_passwdqc">http://linux.die.net/man/8/pam_passwdqc</a><br>
</div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div></div>