24     Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

             Username/Password


             Username and password combinations have been used for authenticating uses for
             many years. Most OSes have had some form of local authentication that could be
             used if the OS was designed to be used by multiple users.Windows, Netware,
             UNIX, and Linux have all had local authentication paths early in their develop-
             ment.Although this is the most common authentication method, it is not without
             its problems. From a security standpoint, it is important to understand that the first
             line of defense of a system is the creation and maintenance of a password policy
             that is enforced and workable.You need to both implement and enforce the policy
             to ensure that this rudimentary protection is in place in your network. Most OSes
             have methods of utilizing username/password policies.
                 Password policies that require a user-created password less than 6 characters
             long are regarded as low (or no) security level. Password policies that require
             between 8 and 13 characters are regarded as a medium security level. Policies
             requiring 14 or more characters are regarded as a high security level.These security
             levels are based on the difficulty of discovering the password through the use of
             dictionary and brute force attacks.Additionally, password policies should require
             that an acceptable password contain a combination of the following:

                  ■   Uppercase and lowercase alphabetic characters
                  ■   Numbers

                  ■   Special characters
                  ■   No dictionary words
                  ■   No portion of the username in the password

                  ■   No personal identifiers should be used including birthdays, social security
                      number, pet’s name, and so on

                 To achieve the medium security level, implement the use of 8 characters,
             including uppercase and lowercase, numbers, and special characters. For high secu-
             rity, implement the medium security settings, and enforce the previous settings plus
             no dictionary words and no use of the username in the password. Be aware that the
             higher the number of characters or letters in a password, the more chance exists
             that the user will record the password and leave it where it can be found. Most
             policies work at about the 8-character range, and require periodic changes of the
             password as well as the use of special characters or numbers.





          www.syngress.com