|
The security of the Virtual Private Servers system is assured by
the use of passwords used to gain access to personal or privileged
information. Since passwords play such an important role in Virtual
Private Servers security, there are many issues you should consider
when choosing and using passwords.
Of the many possible avenues of attack
that a malicious individual may resort to when attacking a Virtual
Private Servers, password cracking is among the most effective and
useful. The UNIX operating system, upon which the Virtual Private
Servers system is based, maintains a list of recognized users and
information about their passwords in a special file (or files) used
as needed for authentication purposes. The Virtual Private Servers
system stores this information in a file named ~/etc/passwd
located on each Virtual Private Servers.
Many cracking techniques in popular
usage today by malicious individuals to penetrate server security
involve "dictionary guessing" where computers are used
to automate a trial-and-error guessing process to discover the correct
password to a User
Account. As a prelude to cracking activity, these
individuals will often attempt to view the ~/etc/passwd file
of a server to use it as input to their automated guessing programs.
Due to the design of the UNIX password scheme, the ~/etc/passwd
file does not contain the actual account passwords. It instead contains
a special sequence of characters generated by a specific cryptographic
algorithm, using the actual password as a encryption key to encrypt
a block of known plaintext.
As such, knowing the contents of the
~/etc/passwd file does not provide a direct knowledge of
any account passwords. However, it does offer a list of all valid
accounts and provides the means to quickly check the validity of
a guessed password, greatly assisting any cracking efforts. Using
a large word list or dictionary the attackers try every word or
permutation of words in an attempt to guess the password, checking
their results against the contents of the ~/etc/passwd file
until they have a match.
This process can be surprisingly successful.
As a result you should not use weak passwords that could be feasibly
listed in any dictionary, including any foreign language dictionary.
Trivial permutations such as spelling a dictionary word or account
name backwards, concatenating one or more dictionary words, and
prefixing or suffixing dictionary words with letters or digits should
also be avoided because they are among the first permutations a
dedicated attacker will check. Characteristics of good passwords
include sufficient length (traditional UNIX systems recognize and
use the first eight characters of the password so plan on choosing
passwords seven to eight characters in length), sufficient complexity
(UNIX passwords are case sensitive, meaning that uppercase and lowercase
letters are not the same, and they may also contain unusual characters
such as punctuation characters, so plan on using strange or unusual
capitalization and characters), and sufficient obscurity (never
use a password that incorporates personal information about yourself
that could be easily obtained).
In the book "Practical UNIX Security",
Simson Garfinkel and Gene Spafford offer the following checklist
of things to consider when choosing password. To be secure, a password
should not be any of the following:
- Your name
- Your spouse's name
- Your parent's name
- Your pet's name
- Your child's name
- Names of close friends or coworkers
- Names of your favorite fantasy characters
- Your boss's name
- Anybody's name
- The name of the operating system
you're using
- The hostname of your computer
- Your phone number
- Your license plate number
- Any part of your social security
number (or equivalent)
- Anybody's birth date
- Other information that is easily
obtained about you
- Words such as "wizard",
"guru", "gandalf", and so on
- Any username on the computer in
any form (as is, capitalized, doubled, etc)
- A word in the English dictionary
- A word in a foreign dictionary
- A place
- A proper noun
- Passwords of all the same letter
- Simple patterns of letters on the
keyboard, like "qwerty"
- Any of the above spelled backwards
- Any of the above followed or prepended
by a single digit
The authors continue and state that
good passwords are passwords that are difficult to guess. In general,
good passwords:
- Have both uppercase and lowercase
letters
- Have digits and/or punctuation characters
as well as letters
- Are easy to remember, so they do
not have to be written down
- Are seven or eight characters long
- Can be typed quickly, so somebody
cannot follow what you type by looking over your shoulder
Remember: following a sensible password
policy will help ensure that your Virtual Private Servers remains
the robust and secure system it should always be.
|