The most basic aspect of securing information systems is password security. Unfortunately, this is often overlooked or not given the attention it deserves. Source IP addresses can be spoofed, physical access can be gained, social engineering can occur; but if you have good practices in place to protect your passwords, you still have a chance at defeating hackers. Let's take a look at how to make password security work on Linux servers.
Overview of password security
Since the dawn of computers, the primary means of restricting access has been through passwords. Although much of the software and hardware has changed over the years, dependence on passwords has not. The act of choosing a password, while now commonplace, can nonetheless be extremely important.
A simple, easily guessed password is like an unlocked door—if intruders discover it, they're going to come in. A good password can take years to crack, but a bad one can take only minutes. That's why it's important to ask several questions about your password practices:
- Have you established known standards for setting passwords?
- Are your passwords encrypted?
- Are you using shadow passwords?
These questions are a good place to start in making sure that your Linux passwords are secure.
Enforcing password requirements
The first step in password security is selecting a password that is hard to guess. Unfortunately, users tend to select passwords that are easy to remember—and easy for hackers to guess. Remembering passwords is important, but it is more important to make sure that they're secure. So instead of a child's name, pet's name, or spouse's birthday, users need to come up with passwords that can't be guessed using some minimal investigation by a hacker.
Mixing and matching uppercase and lowercase letters can help, and so can throwing in a number or two. Not only will this make the password harder to guess, but it will also make it harder for hacker to use a brute-force attack, where the hacker gets a list of encrypted passwords and tries to match them to a dictionary of words. Randomly generated passwords may sound good, and I’ve seen systems that use them. But for the most part, it's better if users can remember their passwords. This TechRepublic article provides a method for creating secure passwords that are easy to remember.
A lot of this may sound like common sense, but the trick is getting your users to follow the password requirements that you set up. In Linux, most versions of Passwd (the standard password software) are capable of screening the password when the user enters it. For instance, it can be configured to reject passwords of fewer than six characters or those that don't include at least two numbers. Programs such as Npasswd, which can completely replace Passwd, take the process a step further. Npasswd will run checks to make sure a password is relatively hard to guess before allowing a user to select it. This is a great place to start when enforcing passwords and leaves some of the legwork to the individual user.
For current password databases, you can use a number of tools to audit password security. Programs like Crack and John the Ripper let you test your current system passwords. These programs attempt to decipher /etc/passwd/ and output the results. The simpler a password is, the quicker it can be broken. The more passwords that can be broken, the more holes will exist in your systems. Blocking someone from getting in at all is preferable, but not always possible. The best security involves setting up roadblocks for hackers so that they can't get at the password databases while making sure users have passwords that are difficult to crack.
Password database protection
The next step is making sure that passwords don't fall into the wrong hands. Security needs to start at the user level. Not only should users be aware that choosing a good password is essential, they should also be careful not to write passwords down and leave them lying about. Plain text files and scraps of paper in a wallet are not the best way to go. Ideally, passwords should be memorized or stored under encryption whenever possible.
Another option for Linux administrators is implementing shadow passwords. Shadow passwords work with the standard /etc/passwd file, creating a separate encrypted file readable only by root. Programs can still use /etc/passwd, accessing information such as UID (User-ID) and GID (Group-ID) but not the encrypted passwords themselves. This adds another level of security and basically means a hacker would need to obtain root to gain access to the encrypted passwords. On a Red Hat system, the pwconv tool can convert a nonshadowed password file to shadow format. To reverse this process, you simply run pwunconv. Other Linux distributions may operate differently; check your documentation to see how to turn on shadow passwords.
You can employ a variety of tactics to ensure that your system’s password security is up to standard. First and foremost, educate your users. Set a policy and make sure that your software can enforce it. This may mean defining what an acceptable password is, dictating how often it needs to be changed, and even specifying how many characters it should have. You can also run checks against your current password database and look for weak spots. And don’t forget shadow passwords—they offer a quick and easy way to add a layer of protection.