RFC1244 - Page 58

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


   decided for proper password management.  Regardless of the policies,
   password management procedures need to be carefully setup to avoid
   disclosing passwords.  The choice of initial passwords for accounts
   is critical.  In some cases, users may never login to activate an
   account; thus, the choice of the initial password should not be
   easily guessed.  Default passwords should never be assigned to
   accounts: always create new passwords for each user.  If there are
   any printed lists of passwords, these should be kept off-line in
   secure locations; better yet, don't list passwords.

   4.3.1  Password Selection

      Perhaps the most vulnerable part of any computer system is the
      account password.  Any computer system, no matter how secure it is
      from network or dial-up attack, Trojan horse programs, and so on,
      can be fully exploited by an intruder if he or she can gain access
      via a poorly chosen password.  It is important to define a good
      set of rules for password selection, and distribute these rules to
      all users.  If possible, the software which sets user passwords
      should be modified to enforce as many of the rules as possible.

      A sample set of guidelines for password selection is shown below:

         - DON'T use your login name in any form (as-is,
           reversed, capitalized, doubled, etc.).

         - DON'T use your first, middle, or last name in any form.

         - DON'T use your spouse's or child's name.

         - DON'T use other information easily obtained about you.
           This includes license plate numbers, telephone numbers,
           social security numbers, the make of your automobile,
           the name of the street you live on, etc..

         - DON'T use a password of all digits, or all the same
           letter.

         - DON'T use a word contained in English or foreign
           language dictionaries, spelling lists, or other
           lists of words.

         - DON'T use a password shorter than six characters.

         - DO use a password with mixed-case alphabetics.

         - DO use a password with non-alphabetic characters (digits
           or punctuation).



Site Security Policy Handbook Working Group                    [Page 58]