Based on the 60 Minute Network Security Guide by National Security Agency
Compromised passwords are common way to intrude a computer or system. An Attacker could gain an access to a system even without causing suspicion because authenticated acceses are rarely monitored. In daily life I have noticed that many users are using really poor passwords based on a dictionary words, names, date of birth or even same as the username. Weak passwords can be cracked in seconds using one of the many publicly available password crackers such as Ophcrack or John the Ripper. Many users are also using same passwords (and username) in different computers, systems and services so if one password gets compromised all the other systems are in danger.
And then the worse part: users are also willing to share their password for administrative purposes. I personally try to avoid asking user’s password but sometimes it’s just so much easier to do certain support tasks such as tweaking an applications interface when you can login with user’s credentials.
General guidelines for password security includes following:
– Passwords should be 12 or more characters in length.
– Users should never share their passwords nor keep written passwords in a easily accessible place.
– Passwords should be difficult to guess and include uppercase, lowercase, special and numeric characters.
– Password should not include dictionary words or names.
– System administrator should ensure the password policy is being followed.
– Passwords should be changed in every 30 to 90 days.
– In UNIX-based systems passwords should be encrypted and stored in the /etc/shadow file. Following accounts should locked by placing a *LK* in the /etc/shadow file: adm, bin, daemon, listen, lp, nobody, noaccess, nuucp, smtp, sys, uucp. These accounts login shells should be also set to /dev/null.
– Services should be running under dedicated non-privileged accounts.
– Passwords for privileged accounts should be 14 or more characters in length.
– The Guest account should be disabled.
– All the accounts should have password regardless if the account is enabled or disabled.
– Prevent LAN Manager (LM) hashes being stored in the SAM or Active Directory by turning of the creation of LM hashes. You could do this on Windows 2000 SP2 or later by assigning the HKLM\System\CurrentControlSet\Control\Lsa\NoLMHask registry key a value 1. Existing LM hashes will remain until the next password change.
The following settings can be configured in Windows Local Security Policy or a Group Policy Object. In a domain password and account policies must be configured in a domain-level group policy object.
[Account Policies]-[Password Policy]
Enforce Password History: 24 passwords remembered
Maximum Password Age: 90 days
Minimum Password Age: 1 days
Minimum Password Length (for normal accounts): 12 characters
Minimum Password Length (for privileged accounts): 14 characters
Password mus meet complexity requirements: Enabled
Store password using reversible encryption for all users in the domain: Disabled
[Account Policies]-[Account Lockout Policy]
Account lockout duration: 15 minutes
Account lockout threshold: 3-5 invalid logon attempts
Reset account lockout counter after: 15 minutes