Password Security
Article Date: 12/93
One of the most important things you can do for security on your Stratus is to implement a strong password policy. As we discussed in the last issue, Identification and Authentication (I&A) of users is a building block of C2-level security or any other major scheme of protection. Although this article will cover some VOS specifics, the general concepts apply just as well to FTX users.
VOS provides the basic foundation for I&A: each user must provide a unique, known ID to the system, and, when challenged, must respond with a password. VOS stores the passwords in an encrypted format and makes them unavailable to browsers. The encryption is of a "one-way" type - users (even System Administrators) cannot decrypt passwords.
However, the security administrator must develop and enforce a policy of strong passwords that strikes a balance between securing the system and allowing users easy access. You must communicate the policy to your users and then enforce it, if it is to be effective. The rest of this article will cover some of the VOS technical tools to help you enforce your password policy.
At the simplest level, you need to protect your accounts from brute force attacks that try lots of combinations to see if they can hit the password. Probably the single most effective thing you can do to secure user accounts is to turn on login_admin -max_bad_logins n . Set n to some number greater than 0. If someone tries to login on a particular account and provides the wrong password n times in a row, that account is "frozen" and must be turned back on by the administrator before anyone can use it. Many sites use a value of 3 or 4 for max_bad_logins . If someone is trying to crack an account, they will only get a few tries rather than the default setting of unlimited.
The size of the password will also determine how hard it is to crack. If you consider that the lower case alphabet, the upper case alphabet, and the digits are allowed for passwords (forget punctuation marks for a moment), then a one character password only has 62 possibilities. However, if the password contains four characters, there are almost 15,000,000 possibilities! Use login_admin -min_password_len n to require users to have reasonably-sized passwords. A minimum of 6 or 8 characters will be hard to break but reasonably easy to remember. The maximum value is 32, but that would be a real hardship for your users.
If you are running VOS 11, there are some other command settings which will help enforce your password policy. The choice set_password_security -req_alpha_numeric means the user must use both letters and digits in their password. This immediately adds complexity for the would-be cracker and increases the possibilities that must be checked in a brute force attack. The choice of set_password_security -forbid_begin_end_numeric means that the user cannot select a simple word as a password and just add a number to meet the alphanumeric requirement.
In the end, the best password security is educating your users on strong and weak passwords and why it is important to your business to use strong passwords. The commands listed here will only assist you in your implementation. In the next issue, we'll try to take a look at "Joe accounts", why they are dangerous, and what tools are available to help you control them.
| 
