Page Navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
Printable Version: RFC2196.PDF
RFC 2196 Site Security Handbook September 1997
4.1.3 Choosing and Protecting Secret Tokens and PINs
When selecting secret tokens, take care to choose them carefully.
Like the selection of passwords, they should be robust against brute
force efforts to guess them. That is, they should not be single
words in any language, any common, industry, or cultural acronyms,
etc. Ideally, they will be longer rather than shorter and consist of
pass phrases that combine upper and lower case character, digits, and
other characters.
Once chosen, the protection of these secret tokens is very important.
Some are used as pins to hardware devices (like token cards) and
these should not be written down or placed in the same location as
the device with which they are associated. Others, such as a secret
Pretty Good Privacy (PGP) key, should be protected from unauthorized
access.
One final word on this subject. When using cryptography products,
like PGP, take care to determine the proper key length and ensure
that your users are trained to do likewise. As technology advances,
the minimum safe key length continues to grow. Make sure your site
keeps up with the latest knowledge on the technology so that you can
ensure that any cryptography in use is providing the protection you
believe it is.
4.1.4 Password Assurance
While the need to eliminate the use of standard, reusable passwords
cannot be overstated, it is recognized that some organizations may
still be using them. While it's recommended that these organizations
transition to the use of better technology, in the mean time, we have
the following advice to help with the selection and maintenance of
traditional passwords. But remember, none of these measures provides
protection against disclosure due to sniffer programs.
(1) The importance of robust passwords - In many (if not most) cases
of system penetration, the intruder needs to gain access to an
account on the system. One way that goal is typically
accomplished is through guessing the password of a legitimate
user. This is often accomplished by running an automated
password cracking program, which utilizes a very large
dictionary, against the system's password file. The only way to
guard against passwords being disclosed in this manner is
through the careful selection of passwords which cannot be
easily guessed (i.e., combinations of numbers, letters, and
punctuation characters). Passwords should also be as long as
the system supports and users can tolerate.
Fraser, Ed. Informational [Page 26]