In the current dangerous era of relentless hacking, the first line of defense for any computer or network is the password.
You just can’t afford to make a mistake with password management.
If you mess up on using a strong password, all is lost.
Passwords to Avoid
Here are some tips on how to avoid making some common mistakes when it comes to the password.
1. Never use a password of less than 12 characters.
The shorter the password the easier it is to crack.
2. Avoid a single dictionary term for password creation even if they are complicated words like prestidigitator.
The single word rule applies to both English and foreign terms.
As a native English speaker, you may think foreign words like leibchen, dummkopf or dilwale sound cute and unique.
But don’t forget your “cute and unique” words are familiar to millions of Germans (the first two words) and hundreds of millions of Indians (last word).
3. Do not use even the reverse of dictionary words.
Password cracking tools like John the Ripper will make mincemeat of dictionary passwords or its reverse in a matter of seconds.
4. Never ever use personal information like Social Security Numbers, TAX ID numbers, birthdays, names, anniversaries, family members’ names, pet names, names of famous personalities like Angelina Jolie, George Clooney or George Washington or a school name.
Don’t even think of using Julia Roberts or Amitabh Bachchan in reverse.
5. Refrain from using sequence of keys on the PC’s keyboard layout.
If your password is asdfghjkl;’ or qwertyuiop, change it immediately and then call your health insurance company to check if your policy covers psychiatric treatment. 😉
6. Never use the same password on multiple machines.
By using different passwords, even if one of your servers or computers is compromised the other machines are still secure.
7. And above all, do not fall prey to the temptation of writing down passwords.
You’ll invariably lose it and the piece of paper will fall into the hands of nasty elements.
What is a Strong Password?
Ideally, a strong password will be a combination of uppercase and lowercase letters, digits and special characters.
Security experts recommend a high entropy value for passwords.
So what the heck is entropy?
Represented in bits, entropy is the uncertainty level associated with a random variable. Higher the entropy of your password, the stronger it will be.
So a password with an entropy value of 128 will be more secure than one with a value of 56.
A password of less than 10 bits of entropy is not advisable.
Those who spend considerable time on security matters say a good idea for a password is to use a passphrase (a combination of multiple words that you can remember).
So 2%Kennedy 36DMonroe MafiaY? Bobby2? might not be a bad passphrase/password.
Use Password Generator
If for some reason you can’t come up with a strong enough password, use the password generator in your Linux system.
I occasionally use the command line utility pwmake, which comes with CentOS 7, RedHat 7 and Fedora 21.
If you’re using Ubuntu or Linux Mint, you can get pwmake by installing libqualitytools.
A big plus with pwmake is that you can specify the desired entropy.
For a home computer, an entropy of 12 is not a bad deal.
$ pwmake 12 amEf)oKguLHU
But in businesses or government organizations, you definitely want a tougher password and must therefore opt for higher entropy of at least 56.
$ pwmake 56 4lHonUlF3w-e
I’d recommend an entropy of 128 for large commercial establishments and government agencies.
$ pwmake 128 4z4LaqAkuwSOg#4c=4q@PquB=yR
RedHat 7 and CentOS 7 use the pam_pwquality module to check a password’s strength against a set of rules.
Also, use the pmquality.conf module in the etc/security folder to configure password requirements.
With pmquality.conf , you can set restrictions on consecutive characters, number of characters in the new password that must not be present in the old password, enforce lower case and upper case letters and more.
If you’ve started off with a weak password, you can change it to a stronger one via the passwd command line tool. But do it NOW.
Enforce Password Aging
If you’re a systems administrator, enforce password aging for your users.
Password aging refers to the practice of forcing users to change passwords after a specified period of time (say 60 or 90 days).
Several U.S. commercial banks enforce password aging by requiring users to change passwords at periodic intervals.
To force password aging on the command line, use the chage command.
In the below example, we’ll see how to enforce a password change.
Force Change Password in 90 Days
chage -M 90 [username]
chage can take several options.
I encourage you to check out the man pages for chage.
If I have said it once, I’ve said it a thousand times – A strong password is the first and crucial line of defense to secure your server against intruders and hackers.