=============================================================================
SA-93:04                        SERT Advisory
                                  1-Jun-1993
             Guidelines For Developing A Sensible Password Policy
-----------------------------------------------------------------------------

This advisory contains guidelines for developing a sensible password policy. 
Please feel free to extract the contents of this advisory, modify to suit local 
conditions, and then distribute to end users, as it is end users who are 
responsible in the first instance for individual account security.

Without doubt, one of the most popular methods used by computer crackers to
compromise a system is password stealing.

By stealing your username and password an intruder can, with reduced
likelihood of detection, gain access to your system, modify it for his or
her own purposes and use that system as a launchpad for attacks on other
systems throughout the world - and all in your name. Password protection is
one of the most (if not the single most) important principles of system
security. It is uniformly important for ALL users, regardless of system
privileges or computer literacy. It is up to each and every individual to
ensure that their password is safe - a single unsafe password can (and
probably will) lead to a computer cracker violating YOUR system.

Your best line of defence against attack is a secure password. A password
is like a key, and any entry point that allows access by default is not
secure. A bad password is like leaving your front door unlocked.

Do not underestimate the ease with which your password can be stolen. There
are many techniques available to do this. A simple and amazingly successful
password theft technique for the cracker is password guessing (i.e. entering
your username, and simply guessing what your password might be). The aim of
this advisory is to thwart these attempts.



How To Select A Safe Password
-----------------------------

Some systems automatically (and autocratically) allocate passwords to
users. Many systems, however, give the user the option of selecting his 
or her own password. The following guidelines should help in selecting a
password which will be sufficiently robust to prevent a cracker from
guessing your password in the majority of cases. 

There are several principles involved in selecting a safe password. These
are covered below.


The DO-NOTs

DO NOT use simple passwords that are easy to remember and are typically 
  not safe. Examples of such passwords are:

  -  your userid (a common, but extremely dangerous practice);

  -  a word which can be associated with you. For example:
    - your car make, model or registration number
    - your child's name
    - your street name, postcode or other address details
    - your medicare number
    - your tax file number
    - any of your bank account numbers;

  -  a word which someone watching could easily spot (qwertyuiop);

  -  any dictionary word (which a cracker with a PC and an on-line 
    dictionary could discover by exhaustive trial);

  -  words from other guessable word sets such as famous names, 
    proper names, colloquial terms (in various spheres of
    life) and so on.

  It is not sufficient to include a single number in the word, or 
  change all O's to 0's and I's or L's to 1's in the word, or to spell 
  the word backwards.


DO NOT leave your account without a password.

DO NOT use your userid as your password.

DO NOT use any word from a dictionary (of any language) as most forms of 
  password attack use dictionaries as a basis for password guessing.

DO NOT use birthdays, car registration numbers, room numbers, department names,
  machine names, locations, wife/husband's names, pet's names,
  children's names and so on. These may be determined as most of this
  information is not confidential.

DO NOT use keyboard patterns, or duplicating characters such as qwerty or
  aabbccdd.

DO NOT use the same password on multiple accounts. If you have many accounts,
  then do not use the same password on each account. If one is broken,
  then all are broken. Also, do not just change one character in the
  password as this may be easily spotted if one of the passwords is
  compromised.

DO NOT allow anyone to watch while you type your password.

DO NOT record your password either on-line. DO NOT write down your 
  passwords.

DO NOT tell anyone what your password is. Do not share your password with
  your partner, your children, your friends. Even telling your dog
  should be considered risky! Do not tell a person verbally, by
  electronic mail or by any other means.

Remember: if someone has your password, they can commit criminal acts using
your account!

SERT staff have been alerted to several security breaches at constituent
sites which have been attributed (in total or in part) to the sharing of 
passwords between husband and wife, parent and child, and between friends.



The DOs

DO use a MINIMUM (not maximum!) of 8 or more characters (system permitting).

DO use mixed case wherever possible. DO NOT choose only the first letter as
  uppercase. (e.g. Mich37bo is not as good as MicH37Bo.)

DO include at least two digits or punctuation characters. DO NOT simply replace
  "o" and "O" with "0", and "I", "l" or "L" with 1. (e.g. fl0pp1mp is
  not as good as fL0$p*Mp.)

DO change passwords frequently, and DO NOT reuse old passwords. Password
  cracking algorithms have been around for quite a while now. By using
  computationally intensive processes, a password can be broken in time.

Applying the techniques outlined above make the length of time required to
break a password prohibitively long. However, the time required to break a
password drops significantly as each letter is guessed, or other
information is known about a password. Passwords should be changed
regularly, so that even if a password is finally guessed, it will be long
out of date. A password should never be reused.



General techniques for generating safe passwords include:

-  using two or three short words that are unrelated;
-  always including some non-alphabetic, non-numeric (i.e. punctuation)
  characters;
-  deliberately misspelling;
-  taking the first letter from each word of a phrase (a passphrase).

Note that different operating systems have different rules for the
characters that one is allowed to use in a password. Some operating systems
will allow any printable characters, whereas others only allow numeric and
alphabetic (i.e. non-punctuation) characters.


After reading all of that, you may ask "well, what is a good password? What
can I use?". One technique would be to use a two or three word phrase, and
replace the 1st character of the 1st word with a <shift>-1, the 2nd
character of the 2nd word with a <shift>-2, etc, and uppercase every second
character except punctuation. e.g. !Yc@rSm$lLs (my car smells).

Another alternative might be to use the first letter from each word in a
line from a song, have every third letter in upper case, and replace (aeiou) 
with ({}:"?). For example, 'Tie A Yellow Ribbon Round That Old Oak Tree' 
would convert into 't{YrrT""T'.

(Rationale:
   'Tie A Yellow Ribbon Round That Old Oak Tree'            => 'tayrrtoot'
   Convert every third letter to upper case                 => 'taYrrTooT'
   Replace lower case vowels                                => 't{YrrT""T')

Note that these examples should NOT be used as they are now published
widely!

You should be aware of what characters your system will accept in a
password, the length required for a password, and what time period is
allowed before the password will have to be changed again. You also need to
be aware of the commands used to change passwords.





What System Managers Can Do
---------------------------

Consider using the following techniques.

- Use Crack, a password cracking tool to audit existing passwords. You supply
  a dictionary, and a list of massaging rules. Crack then tests the
  encrypted password against the dictionary and rules list to see which
  passwords it can guess. This is only available for UNIX systems.

- Consider also the use of password shadowing, which places the encrypted
  passwords in a non-world-readable file, not /etc/passwd (which is
  world-readable). Again, this is only applicable for UNIX systems.

- If your system has a facility to enforce rules on minimum password
  content (e.g. "must include at least 1 upper case and at least 1
  numeric"), then use this facility. For UNIX systems which don't
  have this facility, npasswd or passwd+ are good alternatives.

- If your system has a facility to (a) enforce password ageing, and (b) keep
  a history file of passwords and disallow previous passwords, then
  use this facility also.

- Keep passwords for system accounts distributed amongst the smallest group
  of people possible. Change these passwords more frequently than
  passwords for non-privileged accounts.

- Take care with the use of facilities that are available for logins which
  bypass the use of passwords. For instance, on VMS systems, don't
  allow proxy logins for privileged accounts such as "SYSTEM". On UNIX
  machines, remove any .rhosts files (or /etc/hosts.equiv) with "+"
  signs in them.


Login programs (such as /bin/login on UNIX systems) are constructed to 
behave in a certain way. One method used by crackers to obtain passwords is 
to execute a program (a trojan horse) masquerading as the login program. 
The trojan horse will accept your username and password, log it into a 
secret file, and then inform you that the combination entered was 
incorrect, before finally calling the real login program. The user, 
thinking that this was merely a typographical error, will proceed as normal
unaware that his or her password has been logged for later use. This can be 
avoided in some cases by typing <Return> a few times before entering your 
username/password combination.

Finally, system managers should be aware that X display managers (such as 
xdm) may bypass several login and system facilities such as message of 
the day, password ageing etcetera. Depending upon the sensitivity of your 
site, this may present some problems which will need resolution using more 
lateral methods.


If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email:  sert@sert.edu.au
Facsimile:  (07) 365 4477
Telephone:  (07) 365 4417
    SERT personnel answer during business hours (AEST - GMT+10:00).

Security Emergency Response Team
Prentice Centre
The University of Queensland
Australia