password
Click on the red underlined text to get to the source
... security -
The easiest system to use would allow access to any user and
require no passwords; that is, there would be no security.
Requiring passwords ...
... passwords; that is, there would be no security.
Requiring passwords makes the system a little less convenient,
but more secure. Requiring device-generated one-time passwords
...
... Requiring passwords makes the system a little less convenient,
but more secure. Requiring device-generated one-time passwords
makes the system even more difficult to use, but much more
secure.
...
... hardware and software like firewalls
and one-time password generators), performance (i.e., encryption
...
... Authentication Policy which establishes trust through an
effective password policy, and by setting guidelines for remote
location authentication and the use of authentication ...
... authentication and the use of authentication devices
(e.g., one-time passwords and the devices that generate them).
...
... host in order to examine the data (i.e.,
to search for passwords). Also, infrastructure includes more than
the networks and the routers ...
... RIP-2,
OSPF). There are three levels of protection: clear-text password,
cryptographic checksum ...
... cryptographic checksum, and encryption. Passwords offer only minimal
protection against intruders who do not have direct access to the
...
... routers which, out of the box, attempt to
route packets). The advantage of passwords is that they have a very
low overhead, in both bandwidth ...
... OSPF (RFC 1583(-> 2178(-> 2328std54))) both support clear-text
passwords in their base design specifications. In addition, there
are extensions to each base protocol to support MD5 ...
... Password and key servers generally protect their vital information
(i.e., the passwords and keys) with encryption algorithms. However,
even a one-way ...
... even a one-way encrypted password can be determined by a dictionary
attack (wherein common words are encrypted to see if they match the
...
... service correctly. Access to encrypted
passwords and proprietary data, and the introduction of Trojan horses
are just a few of the potential security holes that can occur when
...
... For many years, the prescribed method for authenticating users has
been through the use of standard, reusable passwords. Originally,
these passwords were used by users at terminals ...
... been through the use of standard, reusable passwords. Originally,
these passwords were used by users at terminals to authenticate
...
... networks (internally or externally), so the risk of disclosure of the
clear text password was minimal. Today, systems are connected
together through local networks, and these local networks ...
... connected together and to the Internet. Users are logging in from
all over the globe; their reusable passwords are often transmitted
across those same networks in clear text, ripe for anyone in-between
...
... CERT* Coordination Center and other
response teams are seeing a tremendous number of incidents involving
packet sniffers which are capturing the clear text passwords.
...
... token-based authentication devices, people are using
password-like strings as secret tokens and pins. If these secret
tokens ...
... One-Time passwords ...
... their systems and networks consider moving away from standard,
reusable passwords. There have been many incidents involving Trojan
network programs (e.g., telnet ...
... sniffing programs. These programs capture clear text
hostname/account name/password triplets. Intruders can use the
captured information for subsequent access to those hosts and
...
... captured information for subsequent access to those hosts and
accounts. This is possible because 1) the password is used over and
over (hence the term "reusable"), and 2) the password passes across
...
... accounts. This is possible because 1) the password is used over and
over (hence the term "reusable"), and 2) the password passes across
the network in clear text.
...
... this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). There are a number of products available
...
... technologies that provide passwords that are only used once (commonly
called one-time passwords). There are a number of products available
that sites should consider using. The decision to use a product is
the responsibility of each organization, and each organization should
...
... When selecting secret tokens, take care to choose them carefully.
Like the selection of passwords, they should be robust against brute
force efforts to guess them. That is, they should not be single
words in any language ...
... Password Assurance ...
...
While the need to eliminate the use of standard, reusable passwords
cannot be overstated, it is recognized that some organizations may
still be using them. While it's recommended that these organizations
...
... transition to the use of better technology, in the mean time, we have
the following advice to help with the selection and maintenance of
traditional passwords. But remember, none of these measures provides
protection against disclosure due to sniffer programs.
...
... The importance of robust passwords - In many (if not most) cases
of system penetration, the intruder needs to gain access to an
account on the system. One way that goal is typically
...
... of system penetration, the intruder needs to gain access to an
account on the system. One way that goal is typically
accomplished is through guessing the password of a legitimate
user. This is often accomplished by running an automated
password ...
... password of a legitimate
user. This is often accomplished by running an automated
password cracking program, which utilizes a very large
dictionary, against the system's password file. The only way to
...
... password cracking program, which utilizes a very large
dictionary, against the system's password file. The only way to
guard against passwords being disclosed in this manner is
...
... dictionary, against the system's password file. The only way to
guard against passwords being disclosed in this manner is
through the careful selection of passwords which cannot be
...
... guard against passwords being disclosed in this manner is
through the careful selection of passwords which cannot be
easily guessed (i.e., combinations of numbers, letters, and
punctuation characters). Passwords ...
... passwords which cannot be
easily guessed (i.e., combinations of numbers, letters, and
punctuation characters). Passwords should also be as long as
the system supports and users can tolerate.
...
... Changing default passwords - Many operating systems and
application programs are installed with default accounts and
...
... operating systems and
application programs are installed with default accounts and
passwords. These must be changed immediately to something that
cannot be guessed or cracked.
...
... Restricting access to the password file - In particular, a site
wants to protect the encrypted password ...
... password file - In particular, a site
wants to protect the encrypted password portion of the file so
that would-be intruders don't have them available for cracking.
One effective technique is to use shadow passwords ...
... password portion of the file so
that would-be intruders don't have them available for cracking.
One effective technique is to use shadow passwords where the
password field of the standard file contains a dummy or false
...
... One effective technique is to use shadow passwords where the
password field of the standard file contains a dummy or false
password. The file containing the legitimate passwords ...
... password field of the standard file contains a dummy or false
password. The file containing the legitimate passwords are
protected elsewhere on the system.
...
... password field of the standard file contains a dummy or false
password. The file containing the legitimate passwords are
protected elsewhere on the system.
...
... Password aging - When and how to expire passwords is still a
subject of controversy among the security ...
... subject of controversy among the security community. It is
generally accepted that a password should not be maintained once
an account is no longer in use, but it is hotly debated whether
a user should be forced to change a good password ...
... password should not be maintained once
an account is no longer in use, but it is hotly debated whether
a user should be forced to change a good password that's in
active use. The arguments for changing passwords ...
... password that's in
active use. The arguments for changing passwords relate to the
prevention of the continued use of penetrated accounts.
However, the opposition claims that frequent password ...
... passwords relate to the
prevention of the continued use of penetrated accounts.
However, the opposition claims that frequent password changes
lead to users writing down their passwords in visible areas
...
... However, the opposition claims that frequent password changes
lead to users writing down their passwords in visible areas
(such as pasting them to a terminal), or to users selecting very
...
... (such as pasting them to a terminal), or to users selecting very
simple passwords that are easy to guess. It should also be
stated that an intruder will probably use a captured or guessed
password ...
... passwords that are easy to guess. It should also be
stated that an intruder will probably use a captured or guessed
password sooner rather than later, in which case password aging
provides little if any protection.
...
... stated that an intruder will probably use a captured or guessed
password sooner rather than later, in which case password aging
provides little if any protection.
...
...
While there is no definitive answer to this dilemma, a password
policy should directly address the issue and provide guidelines
...
... policy should directly address the issue and provide guidelines
for how often a user should change the password. Certainly, an
annual change in their password is usually not difficult for
...
... for how often a user should change the password. Certainly, an
annual change in their password is usually not difficult for
most users, and you should consider requiring it. It is
recommended that passwords ...
... password is usually not difficult for
most users, and you should consider requiring it. It is
recommended that passwords be changed at least whenever a
privileged account is compromised, there is a critical change in
...
... administrator!), or when an
account has been compromised. In addition, if a privileged
account password is compromised, all passwords on the system
should be changed.
...
... account has been compromised. In addition, if a privileged
account password is compromised, all passwords on the system
should be changed.
...
... Password/account blocking - Some sites find it useful to disable
accounts after a predefined number of failed attempts to
authenticate ...
... authenticate. If your site decides to employ this mechanism, it
is recommended that the mechanism not "advertise" itself. After
disabling, even if the correct password is presented, the
message displayed should remain that of a failed login attempt.
...
... information can be used by would-be intruders to identify
usernames and guess their passwords. It is recommended that
sites consider modifying finger to restrict the information
...
...
A username and password check should be completed before a user can
access anything on your network. Normal password ...
... password check should be completed before a user can
access anything on your network. Normal password security
considerations are particularly important (see section 4.1.1).
...
... somewhat more difficult to monitor, but it is prudent to assume that
hackers know how to eavesdrop on your lines. For this reason, you
should use one-time passwords if at all possible.
...
...
Users will occasionally mis-type a password. Set a short delay - say
two seconds - after the first and second failed logins, and force a
...
... two seconds - after the first and second failed logins, and force a
disconnect after the third. This will slow down automated password
attacks. Don't tell the user whether the username ...
... calls back on a specified number). Call-back is useful since if
someone were to guess a username and password, they are disconnected,
and the system then calls back the actual user whose password was
...
... username and password, they are disconnected,
and the system then calls back the actual user whose password was
cracked; random calls from a server are suspicious, at best. This
does mean users may only log in from one location (where the server
...
... All logins, whether successful or unsuccessful should be logged.
However, do not keep correct passwords in the log. Rather, log them
simply as a successful login attempt. Since most bad passwords ...
... passwords in the log. Rather, log them
simply as a successful login attempt. Since most bad passwords are
mistyped by authorized users, they only vary by a single character
from the actual password ...
... passwords are
mistyped by authorized users, they only vary by a single character
from the actual password. Therefore if you can't keep such a log
secure, don't log it at all.
...
... sessions may be monitored, and a
username/password prompt. Verify possible legal issues related to
the text you put into the banner.
...
...
For high-security applications, consider using a "blind" password
(i.e., give no response to an incoming call until the user has typed
...
... (i.e., give no response to an incoming call until the user has typed
in a password). This effectively simulates a dead modem.
...
...
One very important note: do not gather passwords. This creates an
enormous potential security ...
... enormous potential security breach if the audit records should be
improperly accessed. Do not gather incorrect passwords either, as
they often differ from valid passwords ...
... passwords either, as
they often differ from valid passwords by only a single character or
transposition.
...
... Department of Defense, "Password Management Guideline", CSC-STD-002-85, 12 April 1985, 31 pages. ...