User manual

ManualsBrandsMultitech ManualsComputer equipmentMultiModem V.90/K56FLEX MT5600ZDX

141

142

143

144

145

146

147

148

149

150

147

Appendix I: Miscellaneous

Password Security

You can have the best security in the world; however, if you have user who uses an easily guessed

password, or machines that have the same user/Password combination, then the most advanced security

will not protect your company’s resources.

Passwords need to be simple enough to remember, yet not easily guessed by knowing something about

the person who created the password For instance, the password that former President Clinton used for

his e-signature when signing the e-signature bill was “Spot,” the name of his cat. Anyone obtaining his

card at that point could have easily broken in and used his Electronic Signature by simply throwing the

names of his family and pets at the card.

Passwords should be about 7-10 characters long, consisting of a mix of letters and other characters.

Taking some letters based on a phrase only the user knows and does not share, and then breaking the

phrase up with non-alphabet characters in the middle can help both the user and you. Never base

passwords on single entities, such as a show or favorite author; use combinations of two or more entities

instead. And never use anything remotely related to one’s own or familial names, birthdays or ages. Make

sure that users with multiple accounts or access points have a unique password for each point (similar to

not using the same 4-letter code for one’s voice mail AND ATM accounts).

Manufacturer-supplied default passwords are another vulnerability. Always check that the manufacturer-

supplied default passwords have been changed on each and every machine, and never allow anyone to use

the same Username/Password combination on multiple machines in your company. It is one thing to use

secure connection programs that allow users to get onto multiple boxes (such as TACACS for Cisco

routers). It is another to have all the boxes default to the same passwords through other connection means.

(Three Internet companies alone in 1990-2000 had security breaches because all machines had the same

password for users. In once case, the manufacturer’s default had never been changed.)

We have provided a basic list of common passwords and usernames in the bruteforce.txt file. In addition,

there is a longer list of passwords in largebrute.txt, the same passwords spelled backwards in

largebruteback.txt, and default system passwords for a variety of systems in systemdefault.txt.

Online resources regarding password security:

• Vislab’s Common Password Guidelines: http://www.vislab.ua.edu/Common/Passwords.html

• “Techniques Adopted By 'System Crackers' When Attempting To Break Into Corporate or

Sensitive Private Networks.” From Network Security Solutions Ltd. Front-line Information

Security Team (FIST), December 1998. http://www.ns2.co.uk/archive/FIST/papers/NSS-

cracker.txt

• Papers on password security: http://www.packetstormsecurity.org/papers/password/

• DoD password guidelines: http://www.packetstormsecurity.org/papers/password/dodpwman.txt

• Password cracking FAQ: http://www.password-crackers.com/pwdcrackfaq.html

• Password cracking Tools: http://www.password-crackers.com/pwdcracking.html