The use of passwords for user identification and authentication is one of the foundations supporting the security structure of the HP NonStop server operating system.
BP-PASSWORD-POLICY-01 Passwords must be required.
Passwords are also the most easily compromised method of user identification. Detection of their fraudulent use is difficult because the compromised passwords are still available to the authorized user.
RISK A user working on a number of systems, using more than one userid and, perhaps, one or more aliases, and faced with keeping passwords for each one up-to-date across multiple nodes tends to choose easy-to-remember passwords and to use them over and over again. Hackers make use of this and base their attacks on passwords using personal information about the users. Passwords should, therefore, be " strengthened " by ensuring that they don't contain personal information. Easily compromised values such as names or important dates cannot be used.
RISK Another common password attack is a 'dictionary attack,' which compares encrypted passwords to a list of words encrypted using the same algorithm. Again, the imposition of rules that govern the contents of the password strengthen the password by making it less likely to contain a common word that will be found in the encrypted dictionary.
RISK Finally, there are some userids that are so sensitive that restricted knowledge of their passwords is essential to prevent deliberate or inadvertent damage to corporate systems. The preferred method of protecting these sensitive passwords is to split the password into two or more parts and have different people create and enter the separate parts and then seal the password in an envelope, which can be locked up if desired.
AP-PASSWORD-POLICY-01 The Corporate Security Policy should mandate the use of Strong Passwords.
When a password contains different types of characters , it is much harder for the password to be compromised based on personal knowledge or dictionary attack.
BP-PASSWORD-POLICY-02 Passwords should be stored encrypted.
BP-PASSWORD-POLICY-04 When passwords are sent, propagated, or otherwise transmitted across networks they should be encrypted.
BP-PASSWORD-QUALITY-01 Passwords should be 6-8 characters in length.
BP-PASSWORD-QUALITY-02 Passwords should contain at least one number
BP-PASSWORD-QUALITY-03 Passwords should contain at least one upper case and one lower case character
BP-PASSWORD-QUALITY-04 Passwords should contain at least one special character.
3P-PASSWORD-CONTROL-01 Use a third party product that can control the length, character string and other limitations on the password.
Safeguard software has the added capability of expiring passwords at regular intervals. This feature will be discussed separately, in the subsection of the Safeguard password discussion that follows .
Other procedural rules can be used to harden passwords:
Generating random passwords that conform to password quality rules ensure that dictionary attacks are ineffective .
AP-ADVICE-PASSWORD-01 Splitting passwords for sensitive userids into two or more parts ensures that no single person knows the entire password.
Password Quality Parameters may be set in a variety of ways. These are summarized in the table below
Where PASSWORD PARAMETERS May Be Set | ||||
---|---|---|---|---|
TACL Program (TACLCONF) | PASSWORD Program bind settings | SAFEGUARD GLOBAL SETTINGS | SAFEGUARD USER RECORD | |
Required | NOCHANGEUSER | PASSWORD-REQUIRED | ||
Encryption | ENCRYPTPASSWORD | PASSWORD-ENCRYPT | ||
Length | MINPASSWORDLEN | PASSWORD-MINIMUM- LENGTH | ||
Password pgm prompts for OLD and NEW passwords | PROMPTPASSWORD | |||
Name vs Number | NAMELOGON | NAMELOGON | ||
Password chg parameters | PASSWORD-MAY-CHANGE PASSWORD-EXPIRY- GRACE | PASSWORD-MAY-CHANGE PASSWORD-EXPIRY- GRACE | ||
Periodic Password Expiration | PASSWORD-MUST- CHANGEPASSWORD-FAIL FREEZE | PASSWORD-EXPIRES | ||
Password echo to screen | BLINDPASSWORD | BLINDPASSWORD | BLINDLOGON | THIRD PARTY |
Numbers Required | YES | |||
Upper and lower Case required | YES | |||
Special Characters Required | YES | |||
Control Characters required | YES | |||
'Immediate' Expiration | Yes (if date is set manually) | YES |