RFC1244 - Page 59

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


         - DO use a password that is easy to remember, so you don't
           have to write it down.

         - DO use a password that you can type quickly, without
           having to look at the keyboard.

      Methods of selecting a password which adheres to these guidelines
      include:

         - Choose a line or two from a song or poem, and use the
           first letter of each word.

         - Alternate between one consonant and one or two vowels, up
           to seven or eight characters.  This provides nonsense
           words which are usually pronounceable, and thus easily
           remembered.

         - Choose two short words and concatenate them together with
           a punctuation character between them.

      Users should also be told to change their password periodically,
      usually every three to six months.  This makes sure that an
      intruder who has guessed a password will eventually lose access,
      as well as invalidating any list of passwords he/she may have
      obtained.  Many systems enable the system administrator to force
      users to change their passwords after an expiration period; this
      software should be enabled if your system supports it [5, CURRY].

      Some systems provide software which forces users to change their
      passwords on a regular basis.  Many of these systems also include
      password generators which provide the user with a set of passwords
      to choose from.  The user is not permitted to make up his or her
      own password.  There are arguments both for and against systems
      such as these.  On the one hand, by using generated passwords,
      users are prevented from selecting insecure passwords.  On the
      other hand, unless the generator is good at making up easy to
      remember passwords, users will begin writing them down in order to
      remember them.

   4.3.2  Procedures for Changing Passwords

      How password changes are handled is important to keeping passwords
      secure.  Ideally, users should be able to change their own
      passwords on-line.  (Note that password changing programs are a
      favorite target of intruders.  See section 4.4 on configuration
      management for further information.)

      However, there are exception cases which must be handled



Site Security Policy Handbook Working Group                    [Page 59]