120
Note
Keep in mind that just using the first letters of each word in a phrase is not sufficient to make a
strong password. Always be sure to increase the password's character set by including mixed-case
alphanumeric characters and at least one special character as well.
6.1.2.3. Password Aging
If at all possible, implement password aging at your organization. Password aging is a feature (avail-
able in many operating systems) that sets limits on the time that a given password is considered valid.
At the end of a password's lifetime, the user is prompted to enter a new password, which can then be
used until, it too, expires.
The key question regarding password aging that many system administrators face is that of the pass-
word lifetime. What should it be?
There are two diametrically-opposed issues at work with respect to password lifetime:
User convenience
•
Security
•
On one extreme, a password lifetime of 99 years would present very little (if any) user inconvenience.
However, it would provide very little (if any) security enhancement.
On the other extreme, a password lifetime of 99 minutes would be a large inconvenience to your users.
However, security would be greatly enhanced.
The idea is to find a balance between your users' desired for convenience and your organization's
need for security. For most organizations, password lifetimes in the weeks-to-months range are most
common.
6.1.3. Access Control Information
Along with a username and password, user accounts also contain access control information. This
information takes on different forms according to the operating system being used. However, the
types of information often include:
System-wide user-specific identification
•
System-wide group-specific identification
•
Lists of additional groups/capabilities to which the user is a member
•
Default access information to be applied to all user-created files and resources
•
In some organizations, a user's access control information may never need to be touched. This is most
often the case with standalone, personal workstations, for example. Other organizations, particularly
those that make extensive use of network-wide resource sharing among different groups of users,
require that a user's access control information be extensively modified.
The workload required to properly maintain your users' access control information varies according
to how extensively your organization uses your operating system's access control features. While it is
not a bad thing to rely so heavily on these features (in fact, it may be unavoidable), it does mean that
your system environment may require more effort to maintain, and that every user account can have
more ways in which it can be mis-configured.
Chapter 6. Managing User Accounts and Resource Access