Shulou(Shulou.com)06/03 Report--

Introduction to password Policy

Password policy is a security mechanism provided by the operating system for system security, just like the linux operating system does not provide super user login, password policy includes: minimum password length, password duration, historical password, password complexity and so on. In the enterprise, the operating system password policy is required to configure, and require password complexity. In an enterprise, a password policy is required for grade protection assessment level 2 or above. I once had the experience of being an equal protection evaluator. Almost no enterprise in the enterprise is using this password policy. I am very depressed and do not know whether the engineers do not know or for some reason. Here I will briefly introduce to you how to set the password policy.

According to the relevant requirements, the password needs to meet the following requirements:

Users have the responsibility and obligation to take good care of their personal accounts and passwords, and shall not disclose their own accounts and passwords at will on any occasion, and shall not disclose others. The account owner shall bear the relevant responsibility for the adverse consequences caused by password disclosure.

The password length must not be less than 6 digits.

Passwords consist of numbers, punctuation, uppercase and lowercase letters, and special symbols, and have the necessary combinatorial complexity. Consecutive or identical numbers, letter combinations (such as 123456, etc.), and other combinations that are easy to decipher are prohibited as passwords.

The password shall not be stored in any form of plaintext in the host electronic document, and shall not be transmitted in clear text in e-mail or fax.

When setting up an account, the system administrator sets the initial password of the assigned account to be forced to be modified on the first login. For a system that cannot be forced to change a password, the system administrator immediately notifies the user to change the password after creating an account, and the user reports back to the system administrator after logging in and changing the password for the first time, which is reviewed by the system administrator.

Users should change their passwords on a regular basis (at least once a quarter), and the same password cannot be used repeatedly.

. Etc., for specific requirements, please see the application analysis of equal guarantee 2.0 cryptographic technology.

Windows sets password policy

The windows password policy has the following settings:

Passwords must meet complexity requirements

Minimum password length

The minimum life of a password

The longest life of a password

Forced password history

Store passwords with reducible encryption

Next, modify these configurations.

Open administrative tools

Open local security policy-account policy-password policy

Then you can adjust it according to your own needs. I recommend you to set it up below, for reference only.

Linux system sets password policy

For linux, we may not know that there is a password policy. Many people think that the linux security mechanism is already very powerful, and most linux use pluggable password authentication to strengthen the password security policy. Let's talk about the linux password policy. Linux password policy is much more powerful than windows password policy.

The linux password policy has the following settings:

The maximum validity period of the password

The longest use time of password

Minimum password length

How many days before the password expires?

Password case, numbers, special characters and other restrictions

New and old passwords cannot be the same.

The length of new and old passwords cannot be the same

Account lock time

Account automatic unlocking time

Password Policy profile path:

In systems such as centos/redhat, path: / etc/pam.d/system-auth

Path in ubuntu and other systems: / etc/pam.d/common-password

The contents of the document are as follows: (different versions, there are some differences in content)

# / etc/pam.d/common-password-password-related modules common to all services

# This file is included from other service-specific PAM config files

# and should contain a list of modules that define the services to be

# used to change user passwords. The default is pam_unix.

# Explanation of pam_unix options:

# The "sha512" option enables salted SHA512 passwords. Without this option

# the default is Unix crypt. Prior releases used the option "md5".

# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in

# login.defs.

# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

# To take advantage of this, it is recommended that you configure any

# local modules either before or after the default block, and use

# pam-auth-update to manage selection of other modules. See

# pam-auth-update (8) for details.

# here are the per-package modules (the "Primary" block)

Password [success=1 default=ignore] pam_unix.so obscure sha512

# here's the fallback if no module succeeds

Password requisite pam_deny.so

# prime the stack with a positive return value if there isn't one already

# this avoids us returning an error just because nothing sets a success code

# since the modules above will each just jump around

Password required pam_permit.so

# and here are more per-package modules (the "Additional" block)

# end of pam-auth-update config

Password expiration time and validity period and other configuration files: / etc/login.defs, part of the file content:

PASS_MAX_DAYS: the maximum number of days a password can be used.

PASS_MIN_DAYS: the minimum number of days between password changes.

PASS_MIN_LEN: minimum password length.

PASS_WARN_AGE: number of days before the password expires

The following is an example of linux user password policy:

Set the maximum password usage time (PASS_MAX_DAYS)

This is used to limit the maximum number of days a password can be used. Password locking will be enforced when the time is up. If you forget to modify it, you will not be able to log in to the system. You need to unlock it with an administrator account before you can continue to use it. This can be set in the PASS_MAX_DAYS parameter in the / etc/login.defs file. In an enterprise, this value is generally set to 30 days, that is, the password is changed once a month.

Root@test:/etc# vim login.defs

PASS_MAX_DAYS 30 / / is the number of days

Set the minimum number of password days (PASS_MIN_DAYS)

This is a limit on how long the password cannot be changed. A value of 15:00 means that the password cannot be changed for 15 days, that is, at least 15 days between two password changes, which can be set in the / etc/login.defs file PASS_MIN_DAYS parameter. Enterprises generally do not control this, this is modified according to their own needs, I set it here for 10 days.

Root@test:/etc# vim login.defs

PASS_MIN_DAYS 10 / / is the number of days

Set password expiration warning (PASS_WARN_AGE)

This is used to remind users that it is time to change their password, that is, when the password is about to expire, a warning will be given to the user every day before the maximum password is used. This can remind users to change their password before the password expires, otherwise we need to contact the administrator to unlock the password. This can be set as the PASS_WARN_AGE parameter in the / etc/login.defs file. In this enterprise, it is generally set to 3 days, but here I set it to 3 days.

Root@test:/etc# vim login.defs

PASS_WARN_AGE 3 / / is the number of days

Avoid reusing old passwords

This is used to prevent the password from being changed to the old password, look for lines that contain both "password" and "pam_unix.so", and then add "remember= days" after this line. This will prevent N recently used passwords from being set as new passwords. This configuration file is in the / ect/pam.d/common-password file (mainly, centos/redhat needs to be modified: / etc/pam.d/system-auth file), which is generally set to 5 in the enterprise. I'll set 5 here.

Ubuntu:

Root@test/etc# vim pam.d/common-password

Password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5

Centos/redhat:

Root@test/etc# vim pam.d/common-password

Password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Set password complexity

This is used to control the complexity of the password, according to the security requirements, the enterprise requires that case, special characters, numbers and so on are combined by the three most and the length is at least 8. Look for a line that contains both "password" and "pam_cracklib.so", followed by "ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1". This will force you to include at least one uppercase letter, two lowercase letters, a number and a symbol in your password.

Ubuntu:

Root@test/etc# vim pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

Centos/redhat:

Root@test/etc# vim pam.d/system-auth

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.