Passwords - Red Hat ENTERPRISE LINUX 3 - INTRODUCTION TO SYSTEM ADMINISTRATION Administration Manual

116
depends on how email delivery is implemented on your operating system, but the two most likely
symptoms are:
The new user never receives any email — it all goes to the original user.
•
The original user suddenly stops receiving any email — it all goes to the new user.
•

6.1.2. Passwords

If the username provides an answer to the question, "who are you?", the password is the response to
the demand that inevitably follows:
"Prove it!"
In more formal terms, a password provides a means of proving the authenticity of a person's claim to
be the user indicated by the username. The effectiveness of a password-based authentication scheme
relies heavily on several aspects of the password:
The secrecy of the password
•
The resistance of the password to guessing
•
The resistance of the password to a brute-force attack
•
Passwords that adequately address these issues are said to be strong, while those that fail to address
one or more of these issues is said to be weak. Creating strong passwords is important for the security
of the organization, as strong passwords are less likely to be discovered or guessed. There are two
options available to enforce the use of strong passwords:
The system administrator can create passwords for all users.
•
The system administrator can let the users create their own passwords, while verifying that the
•
passwords are acceptably strong.
Creating passwords for all users ensures that the passwords are strong, but it becomes a daunting task
as the organization grows. It also increases the risk of users writing their passwords down.
For these reasons, most system administrators prefer to have their users create their own passwords.
However, a good system administrator takes steps to verify that the passwords are strong.
For guidelines on creating strong passwords, see the chapter titled Workstation Security in the Red
Hat Enterprise Linux Security Guide.
The need for passwords to be kept secret should an ingrained part of every system administrator's
mindset. However, this point is often lost on many users. In fact, many users do not even understand
the difference between usernames and passwords. Given this unfortunate fact of life, it is vital that
some amount of user education be undertaken, so that your users understand that their password
should be kept as secret as their paycheck.
Passwords should be as difficult as possible to guess. A strong password is one that an attacker would
not be able to guess, even if the attacker knew the user well.
A brute-force attack on a password entails methodically trying (usually via a program known as a
password-cracker) every possible combination of characters in the hopes that the correct password
will eventually be found. A strong password should be constructed in such a way as to make the
number of potential passwords that must be tested very large, forcing the attacker to take a long time
searching for the password.
Strong and weak passwords are explored in more detail in the following sections.
Chapter 6. Managing User Accounts and Resource Access