Section 7.1 General Policy | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

7.1 General Policy

It is imperative for users to select a password that is not easy to guess and that certainly is not a default password. I recommend giving each new user a different initial password that could be a simple phrase and require them to change it immediately. I found picking a phrase from current events can bring someone a smile and yet it will not be guessable a few weeks later when it no longer is current. I then check an hour later to make sure that the user has changed the password by trying to log in as the user with said initial password. This prevents another disgruntled (or fired employee) from trying out the same initial password on each new account. I recommend carefully reading the Passwd(1) man page as it has lots of good advice on password selection, and incorporating it into your policy. Some items to include follow.

Any initial password given by the SysAdmin should be changed within one hour of receipt. (The SysAdmin should verify this.)
Passwords should not include any information which others that know the person could guess, such as the name of her children, automobile, hobby, hubby, or hound.
Passwords should include at least one nonalphanumeric character (preferably two), such as any of !@#$%^&*()+=[]{}|:;'<>,.`~?/.
Passwords should not be a single word or pair of words.
Passwords should not consist solely of lowercase letters or solely of uppercase letters or solely of digits.
Passwords should not be written down.
Passwords should not be revealed to anyone except the SysAdmin (not even to one's manager). This should be considered a very serious offense, similar to giving out building keys to unauthorized people.

"Avoiding Weak and Default Passwords" on page 42 goes into more details on passwords, and is must reading.

Top