Good Passwords, Better Security

1. Why are passwords important? I connect to the Internet only occasionally, so passwords aren't a big deal, right?

1. Why are passwords important? I connect to the Internet only occasionally, so passwords aren’t a big deal, right?

In a word, wrong. But, don’t feel bad. Passwords are one of the most neglected and misunderstood forms of security.

In fact, passwords are vital and necessary for every Linux machine (networked or not) because they provide the last line of defense against intrusion. For example, if you’re using a firewall or packet-filtering software (such as ipchains or ipfwadm) but don’t use passwords, and someone breaches your system, you have no secondary line of defense.

A password is a carefully chosen word, phrase, or sequence of alphanumeric characters that a user provides to validate his (or her) identity. The best password is a true randomly-generated sequence of characters, but randomly-generated passwords tend to be difficult to remember. The harder a password is to remember, the more likely you are to forget it or write it down. The former is bad, but the latter is much worse! Never write down or share your password with anyone.

If you’re like most people, you’ll want to create a password using a word or phrase that is meaningful to you. So, the problem becomes how to choose a meaningful password that can’t be guessed easily. Unfortunately, the easiest words for you to remember — your girlfriend’s name, your husband’s favorite color, your pets’ names, nicknames, birthdays, or the last four digits of your social security number — are also the easiest to guess. All of these are bad choices for a password because someone can easily guess or research them. Hobbies and interests are also bad inspirations for passwords. If you have a hobby, especially if it’s well known, any words used in that hobby become easy guesses, even if they may be obscure to the public.

So, what makes for a good password? Here are some rules to follow to create effective and unobvious passwords:

  • Choose a password of six or more characters. The longer the password the better!

  • Mix upper and lower case. Passwords are typically case-sensitive, and mixed case passwords make good passwords even better.

  • Use letters and non-alphabetic characters in your password. %#@*& might look like gibberish, but that’s the point.

  • Avoid using the names of family, friends, and coworkers, birthdays and anniversaries. Also avoid using your phone number, social security number, and license plate number.

  • Avoid slang words and words found in the dictionary, including foreign dictionaries.

  • Avoid any dictionary word spelled backwards.

  • Avoid any single word with a digit appended or prepended.

Be creative! If you use at least six characters, you can have any one of potentially 5,188,579,746,500,610 passwords!

2. What can I do to enhance my security?

  • There are number of things you can do to improve the security of your Linux machine.

  • Choose good passwords.

  • Only install software you use or need.

  • Only install software from known, safe distribution locations (don’t take software from strangers).

  • Use a firewall, or packet filtering software like ipchains.

  • Be sure to install the appropriate security patches.

  • Disable any services you do not need. For example, if you do not need an FTP server, disable it.

  • Do not allow anonymous or guest logins.

  • Use ssh instead of telnet. Better yet, disable telnet on all of your systems.

You can also have knowledgeable friends attack you and report their results.

There are also a number of good security packages on the Internet, including Crack, COPS, npasswd, and Tripwire. Each of these packages can enhance the security of your machine, depending on your requirements.

John R. S. Mascio is a systems and network manager living near Dallas, TX with his wife and eight cats. John can be reached at mascio@ryu.com.

Comments are closed.