| Index | Directory | Calendar | Contact ASU | Campuses: Main West East Extended |  |
|---|
 Unix Network Users Group |
|
|
|
25. PasswordsUsers should understand their responsibility to keep passwords private and to report changes in their user status, suspected security violations, etc. To assure security awareness among the user population, it is recommended that each user be required to sign a statement to acknowledge understanding these responsibilities. · A password should be initially assigned to a user when account created on a system. A user's password must be changed periodically · A user must have a valid ASUID to obtain an account students should require a faculty signature · Users should be able to change their own passwords. ·
Take care in delivering the password to the user---In person or
via written format delivered to a mailbox · Forgotten passwords · User must notify system admin · System admin needs to verify user · Use Shadow passwords ·
Limit su usage – keep a log of su users · Require a secure terminal, perhaps just the console · Set permissions for telnet usage of TTY’s (could be in /etc/ttys, security) · use access.conf · use a special group for those allowed to use su. The simplest way to recover from the compromise of a password is to change it. Therefore, passwords should be changed on a periodic basis to counter the possibility of undetected password compromise. They should be changed often enough so that there is an acceptably low probability of compromise during a password's lifetime. One common practice is to change a password such that it cannot be found in any dictionary and yet is easy to remember. Two short words connected by some special character usually make a good password. For example, “dog$heaven” would be a good password because it’s not easily guessed, can’t be found in the dictionary and is easy to remember. |
| ||||
