Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
31323334353637383940
Chapter 2. Securing Your Network
26
Next, turn it into an acronym (including the punctuation).
otrattw,tghwg.
Add complexity by substituting numbers and symbols for letters in the acronym. For example,
substitute 7 for t and the at symbol (@) for a:
o7r@77w,7ghwg.
Add more complexity by capitalizing at least one letter, such as H.
o7r@77w,7gHwg.
Finally, do not use the example password above for any systems, ever.
While creating secure passwords is imperative, managing them properly is also important, especially
for system administrators within larger organizations. The following section details good practices for
creating and managing user passwords within an organization.
2.1.3.2. Creating User Passwords Within an Organization
If an organization has a large number of users, the system administrators have two basic options
available to force the use of good passwords. They can create passwords for the user, or they can let
users create their own passwords, while verifying the passwords are of acceptable quality.
Creating the passwords for the users ensures that the passwords are good, but it becomes a daunting
task as the organization grows. It also increases the risk of users writing their passwords down.
For these reasons, most system administrators prefer to have the users create their own passwords,
but actively verify that the passwords are good and, in some cases, force users to change their
passwords periodically through password aging.
2.1.3.2.1. Forcing Strong Passwords
To protect the network from intrusion it is a good idea for system administrators to verify that the
passwords used within an organization are strong ones. When users are asked to create or change
passwords, they can use the command line application passwd, which is Pluggable Authentication
Modules (PAM) aware and therefore checks to see if the password is too short or otherwise easy
to crack. This check is performed using the pam_cracklib.so PAM module. Since PAM is
customizable, it is possible to add more password integrity checkers, such as pam_passwdqc
(available from http://www.openwall.com/passwdqc/) or to write a new module. For a list of available
PAM modules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html. For more information
about PAM, refer to Managing Single Sign-On and Smart Cards.
The password check that is performed at the time of their creation does not discover bad passwords
as effectively as running a password cracking program against the passwords.
Many password cracking programs are available that run under Red Hat Enterprise Linux, although
none ship with the operating system. Below is a brief list of some of the more popular password
cracking programs:
John The Ripper — A fast and flexible password cracking program. It allows the use of multiple
word lists and is capable of brute-force password cracking. It is available online at http://
www.openwall.com/john/.
Crack — Perhaps the most well known password cracking software, Crack is also very fast, though
not as easy to use as John The Ripper. It can be found online at http://www.crypticide.com/alecm/
security/crack/c50-faq.html.