D-Link NetDefendOS User Manual page 609

C. Something the user knows such as a password.
Method A may require a special piece of equipment such as a biometric reader. Another problem
with A is that the special attribute often cannot be replaced if it is lost.
Methods B and C are therefore the most common means of identification in network security.
However, these have drawbacks: keys might be intercepted, passcards might be stolen,
passwords might be guessable, or people may simply be bad at keeping a secret. Methods B and
C are therefore sometimes combined, for example in a passcard that requires a password or pin
code for use.
Making Use of Username/Password Combinations
This chapter deals specifically with user authentication performed with username/password
combinations that are manually entered by a user attempting to gain access to resources. Access
to the external public Internet through a NetDefend Firewall by internal clients using the HTTP
protocol is an example of this.
In using this approach, username/password pairs are often the subject of attacks using
guesswork or systematic automated attempts. To counter this, any password should be carefully
chosen. Ideally it should:
• Be more than 8 characters with no repeats.
• Use random character sequences not commonly found in phrases.
• Contain both lower and upper case alphabetic characters.
• Contain both digits and special characters.
To remain secure, passwords should also:
• Not be recorded anywhere in written form.
• Never be revealed to anyone else.
• Changed on a regular basis such as every three months.
609
Chapter 8: User Authentication