Bay Networks 6300 Supplement Manual page 308

Chapter 15 Using RA 6300 Security
Benefits of
Password
Histories
Benefits of
Password Aging
Remote Annex 6300 Supplement to the Remote Annex Administrator's Guide for UNIX
A-280
The password history mechanism helps protect against off-line,
"dictionary" attacks. In this kind of attack, a user obtains the encrypted
acp_passwd (or /etc/passwd) file. The user then tries to crack the
passwords by taking a dictionary of words, encrypting the words (using
salted DES encryption) and comparing them to the encrypted passwords.
The longer a password is in effect, the more time an attacker has to crack
its encryption. Consequently, the password history feature is most
effective when used in conjunction with password aging. If password
aging is enabled:
• The user must change passwords when a predefined amount of
time has elapsed. If the user never changes passwords, there is
no password history to record.
• The user cannot change passwords until the predefined amount
of time has elapsed. This prevents potential intruders from
changing passwords in rapid succession in an attempt to cycle
the old passwords out of the password history and use them
again.
Password aging is enabled through the use of a shadow file in conjunction
with a passwd file. By default, erpcd uses the acp_passwd file alone, so
password aging is initially disabled. When only the passwd file is used
(a Berkeley standard), that file contains both the user names (UIDs) and
the encrypted passwords. The passwd/shadow form (used with UNIX
System-V) contains an x in place of a password in the passwd file and
saves the encrypted passwords in a separate file called shadow.
If your UNIX is based on System V and you want to use the password
history feature, choose the passwd/shadow scheme. Use the convert
program, located in the erpcd directory, to change the integrated passwd
form to the passwd/shadow form (and vice-versa).
Book A