When securing any system, the basic advice is to use “strong passwords” and change them periodically. This also applies to system and domain users. In this post we will briefly go through what can be considered a good password and what Linux tools can help system administrators to improve system security related with users and their passwords.
What is considered a good password?
The robustness of a good password against a brute force attack depends both on its length and the cardinality of the set of symbols. That is why it is a good idea to create passwords of at least 8 characters, that contains uppercase, lowercase, numbers and special characters.
Naturally, you also have to be careful not to write down or forward the password using insecure methods. You must also bear in mind that once a good password has been ‘cracked’, it becomes part of the dictionaries used by ‘crackers’. Therefore, it becomes a weak point in the system security chain.
Password management utilities
There are a number of commands and features that help system administrators to strengthen password security. We would like to highlight these three:
1. Command: samba-tool domain passwordsettings
The “samba-tool domain passwordsettings” utility allows you to establish a number of parameters for the passwords of all users in the domain: Minimum password length and complexity, Password history length, Minimum and maximum password age and Account lockout, among others.
You can see the available options with the following command:
samba-tool domain passwordsettings --help
It is important to keep in mind that you can use this in mixed environments (joined to Windows Domain Controller). However, if there are any existing group policies regarding passwords, these will override your settings. Also, the Samba version (4.7) integrated in Zentyal does not yet support PSOs (Password Settings Objects). This means that the password requirements you establish with this command will apply to all users in the domain.
2. Command: chage
The ‘chage‘ command is an acronym for ‘change age’. As the name implies, this command is mainly used to change the password duration of a specific system user (NOTE: not a domain user). You can use it to view when the user’s password was last changed or establish the number of days between password changes, among other options. It will also allow you to lock the account after it has been inactive for a defined period.
You can obtain more information with the following command:
3. PAM Module: ‘pam_pwquality’
This module checks the quality of passwords when they are introduced by users. Thus, it allows you to apply robust password policies. If you have this functionality installed and configured, when a system user tries to change her password, she will be notified if the new password is secure enough.
Besides performing basic password checks (the new password is not in the dictionary, it is not a palindrome, it is different enough from the previous one, it has a minimum length …), the administrator can configure parameters such as:
- Number of times the user can try to create a strong password
- Maximum number of repeated characters
- Minimum number of uppercase, lowercase and numbers
- Number of characters that must be different from the previous password
- Number of words of the username that the password can include
To see the possibilities this module offers and configure the settings, edit the following configuration file:
There are many utilities to manage passwords, apart from those provided by the operating systems themselves. For example, KeePass is a mature and easy-to-use open source project that also has ports for Linux and Mac OS X. This application will help you to generate passwords from custom character sets or simply save your own passwords.
KeePass has a two-factor authentication system for which it uses passwords and/or “key file” (you can use both or only one of them). You create a small key file from the application itself and keep it safe. By using the application, you will greatly increase the security of your passwords.
Where possible, you should also use “passphrases” choosing four or five words including numbers and special characters. These types of passwords are easier to remember and are especially useful for those resources that you must access repeatedly throughout the day.
In addition, you should periodically change passwords (KeePass will also help manage this task) and be on the lookout for data leaks. To this end, services such as Firefox Monitor are very useful.
Lastly, the best advice we can give for those who need extra security compared to standard Internet user: Get familiar with John the Ripper and how it works.