AlpineWeb Design Home
Check Domain Name Availability
Customer Login | Contact Us | Mobile Users
Mobile Users Home Domain Name Services E-Commerce SEO Web Hosting Technical Support Order Forms About Us
Support Home Documentation Knowledgebase Help Desk
Live Help
    Support Home > Knowledgebase > Unix >

Choosing a Password

The security of a Networked Server is assured by the use of passwords used to gain access to personal or privileged information. Since passwords play such an important role in Internet Server security, there are many issues you should consider when choosing and using passwords.

Of the many possible avenues of attack that a malicious individual may resort to when attacking a FreeBSD Internet Server, password cracking is among the most effective and useful. The UNIX operating system, upon which the FreeBSD Operating System is based, maintains a list of recognized users and information about their passwords in a special file (or files) used as needed for authentication purposes. The FreeBSD Operating System, that individual User Accounts run on stores this information in a file named ~/etc/passwd located on each Internet Server.

Many cracking techniques in popular usage today by malicious individuals to penetrate server security involve "dictionary guessing" where computers are used to automate a trial-and-error guessing process to discover the correct password to a User Account. As a prelude to cracking activity, these individuals will often attempt to view the ~/etc/passwd file of a server to use it as input to their automated guessing programs. Due to the design of the UNIX password scheme, the ~/etc/passwd file does not contain the actual account passwords. Passwords are instead stored as a special sequence of characters generated by a specific cryptographic algorithm, using the actual password as a encryption key to encrypt a block of known plaintext. In addition, these encrypted passwords are stored in a different file which is harder to get to without already having root access to a Server.

As such, knowing the contents of the ~/etc/passwd file does not provide a direct knowledge of any account passwords. However, it does offer a list of all valid accounts and a skilled hacker can quickly check the validity of a guessed password, greatly assisting any cracking efforts. Using a large word list or dictionary the attackers try every word or permutation of words in an attempt to guess the password, checking their results against the encrypted passwords until they have a match.

This process can be surprisingly successful. As a result you should not use weak passwords that could be feasibly listed in any dictionary, including any foreign language dictionary. Trivial permutations such as spelling a dictionary word or account name backwards, concatenating one or more dictionary words, and prefixing or suffixing dictionary words with letters or digits should also be avoided because they are among the first permutations a dedicated attacker will check. Characteristics of good passwords include sufficient length (traditional UNIX systems recognize and use the first eight characters of the password so plan on choosing passwords at least eight characters in length), sufficient complexity (UNIX passwords are case sensitive, meaning that uppercase and lowercase letters are not the same, and they may also contain unusual characters such as punctuation characters, so plan on using strange or unusual capitalization and characters), and sufficient obscurity (never use a password that incorporates personal information about yourself that could be easily obtained).

In the book "Practical UNIX Security", Simson Garfinkel and Gene Spafford offer the following checklist of things to consider when choosing password. To be secure, a password should not be any of the following:
  • Your name
  • Your spouse's name
  • Your parent's name
  • Your pet's name
  • Your child's name
  • Names of close friends or coworkers
  • Names of your favorite fantasy characters
  • Your boss's name
  • Anybody's name
  • The name of the operating system you're using
  • The hostname of your computer
  • Your phone number
  • Your license plate number
  • Any part of your social security number (or equivalent)
  • Anybody's birth date
  • Other information that is easily obtained about you
  • Words such as "wizard", "guru", "gandalf", and so on
  • Any username on the computer in any form (as is, capitalized, doubled, etc)
  • A word in the English dictionary
  • A word in a foreign dictionary
  • A place
  • A proper noun
  • Passwords of all the same letter
  • Simple patterns of letters on the keyboard, like "qwerty"
  • Any of the above spelled backwards
  • Any of the above followed or prepended by a single digit
The authors continue and state that good passwords are passwords that are difficult to guess. In general, good passwords:
  • Have both uppercase and lowercase letters
  • Have digits and/or punctuation characters as well as letters
  • Are easy to remember, so they do not have to be written down
  • Are a minimum of eight characters long
  • Can be typed quickly, so somebody cannot follow what you type by looking over your shoulder
Remember: following a sensible password policy will help ensure that your Hosting Account remains the robust and secure system it should always be.


image


DocumentationDocumentation Home
Help Desk
Knowledgebase

Business Services
PC Data Backup Support
Sugar CRM

Domain Name Services
Domain Name Registration
Domain Name Transfer
Domain Name Redemption

Web Hosting
Getting Started Guides
Starter Hosting
Signature Hosting
Virtual Private Servers
  • FreeBSD VPS v2/3
  • Linux VPS
Managed Private Servers
  • FreeBSD MPS v2/3
  • Linux MPS





image
Authorized viaVerio Reseller         Authorize.net         Miva Certified Business Partner        
Homepage | About Us | Privacy Policy | Rates & Fees | Contact Us | Sitemap

All contents © Copyright 1997-2010 AlpineWeb Design