Creating Effective Passwords
November 17, 2004 Hey, Wayne O
Our users want passwords that are easy to remember, so I would like to keep them simple. What is the recommended practice for a typical OS/400 shop?
It is a constant struggle to decide just how far to go in making passwords secure. Eliminating trivial passwords is very important because if a hacker can compromise user passwords, he can access to your system. When I conduct a security audit I often discover trivial passwords. I once did an audit of an international bank and tried the user profile TEST, and–you guessed it–the password was also TEST. This account was created with *ALLOBJ special authority, and within minutes I found the international fund transfer file, complete with PIN numbers stored in the clear. They did not pass the audit. We can all agree that the user profile TEST with password TEST is very trivial. But there needs to be some reasonable compromise between using trivial passwords and making passwords so complicated that users have to write them down.
First I will review some general principles about passwords, and then I will relate them to the OS/400 password system values. Finally, I will share a tip that you can pass on to your users for remembering their passwords.
SOME GENERAL PASSWORD GUIDELINES
- Passwords are used by the system to authenticate who is using the system (they prove that you are you). To prevent a hacker from assuming your identity, you need to protect your password.
- Passwords should not be trivial, or they can be easily compromised. Avoid passwords that are the same as the user profile; passwords that are the names of children, pets, or common words; passwords that are all the same character, such as XXXXXXX; passwords that are identical to previous passwords except for a single character.
- The length of passwords should be at least six characters and include numbers. OS/400 can be configured to allow case-sensitive passwords of up to 128 characters. Most OS/400 installations use the simpler 10-character passwords that are not case-sensitive.
- Passwords should be changed every 30 to 90 days. Anytime a user suspects that someone else may know his password, the password should be changed.
- Profiles and passwords should be assigned to one person, not a group of individuals. You can break this rule in special cases where the profile is designed for a special purpose and has very limited access. For example, it may be best for the users of a scanning device in the stock room to use the same user ID and password. Never use a shared password for system operators or for individuals who must be accountable for their actions. Using group profiles is a good way to grant common authority to a group of users but at the same time give each user an individual profile.
- Sometimes users forget their passwords. When this happens, the user should be given a new password, which should be set to EXPIRED(*YES). Doing so requires the user to create a new password during the next sign-on.
- Users should not share their passwords with anyone. This is probably the simplest and most difficult rule to enforce. It takes educating users and a strict management policy (you get fired) to prevent password sharing. Sometimes security officers are the worst offenders. Security officers know the reason, and therefore should be the example of good practices.
PASSWORD-RELATED SYSTEM VALUES
I recommend the follow settings for the system settings that control user passwords and sign-on.
|System Value||Recommend Value||Description|
|QMAXSIGN||3-5||This system value determines how many sign-on attempts a user gets before the system takes action. If the user is not able to enter his password correctly, the QMAXSGNAC system value determines the system action.|
|QMAXSGNACT||2 or 3||
This system value determines the system response to repeated password failures. There are three possible settings:
1. Disable (vary off) the device where the failure occurred. The setting of 1 was more meaningful when users were hardwired to a dummy terminal. Today, most users are attached by a PC, and this option is not adequate because the PC user can simply connect again and get another virtual device.
2. Disable the user profile. When the user profile is disabled, you will need to make some provision to enable the user profile. If you have a help desk, I recommend creating a way for them to enable the user profile. (See “Securely Resetting Disabled User Profiles” for the RESETPWD command.)
3. Disable both the device and the user profile. This option is the most secure.
|QPWDEXPITV||60-90||Password Expiration Interval–passwords are set to expire every nn days. Users are notified seven days in advance of password expiration and are forced to change their password once it expires. When you change the system value, almost all users will be required to change their passwords, so alert your help desk to expect some users to be confused. Sending a note to users with tips on how to change their passwords will reduce the number of calls to the help desk.|
|QPWDLVL||0 (Other values are more secure.)||
Determines how OS/400 handles passwords and the content. The values are:
0. (Compatibility with older versions of OS/400) Passwords folded to uppercase and a maximum of 10 characters. No blanks or special characters are allowed. NetServer passwords are used when the PC user maps a drive letter to the OS/400 IFS. The passwords are stored with an insecure method. The NetServer passwords are subject to a password attack, called the dictionary attack. The dictionary attack stores the encrypted form of common works (all the words in the English dictionary) and then simply does a lookup and discovers the password of users. There are programs of OS/400 that use the dictionary attack. Elimination of NetServer passwords eliminates this attack. Requiring users to include a digit in passwords is a good way to avoid exposing passwords to the dictionary attack.
1. Same as 0, except the NetServer password is removed.
2. Passwords are case-sensitive and can be up to 128 characters long. Passwords can contain embedded blanks and special characters. NetServer passwords are retained if password is not too long.
3. Same as 2, except NetServer passwords are removed.
If you have multiple systems, keep the same setting on this system value for all systems. Eliminating the NetServer password is more secure, but users who map PC drives to the integrated file system will be required to enter passwords again.
Password Limit Adjacent Digits
0 (off)–Adjacent digits are allowed in passwords.
1 (on)–Adjacent digits are prevented.
|QPWDLMTCHR||#$@||Password Limit Characters–characters not valid on all international keyboards|
Password Limit Repetition
0–Repeated characters are allowed.
1–No repeated characters allowed.
2–No adjacent repeating characters.
|QPWDMAXLEN||8 or 10||Password Maximum Length–passwords can be no longer than eight characters in length.|
|QPWDMINLEN||6||Password Minimum Length–passwords must be a minimum of five or six characters in length.|
|QPWDPOSDIF||0 (off)||Password Position Different–new passwords can have characters in the same position as the previous password. This was intended to prevent trivial passwords like PASSWORD1, PASSWORD2, and PASSWORD3, but the rule is too strict because password can be very different but accidentally have matching characters. The only option to prevent the change of a single position is to use a password exit program.|
|QPWDRQDDGT||1 (on)||Password Required Digit–digits are required to be present in every password. I recommend this setting because requiring at least one digit will eliminate passwords that are common words and thus avoid the dictionary attack of passwords.|
|QPWDRQDDIF||1 to 5||
Password Required Different–new passwords are required to be different from previous passwords.
1–Can’t repeat for 32 password changes.
2–Can’t repeat for 24 password changes.
3–Can’t repeat for 18 password changes.
4–Can’t repeat for 12 password changes.
5–Can’t repeat for 10 password changes.
6–Can’t repeat for eight password changes.
7–Can’t repeat for six password changes.
8–Can’t repeat for four password changes.
|QPWDVLDPGM||*NONE||Password Validation Program–no special password validation program is used in addition to or in place of the standard OS/400 logic.|
PASSWORD MEMORY TIP
When you enforce all of the recommended password rules, users will complain that they can’t remember their passwords. I suggest that you share this very simple tip that will allow them to create a password that is difficult to guess but is easy to remember. Think of a short phrase that is easy to remember, and use the first letter of each word. There are many words that digits can be substituted for. Here are some examples:
|TPI2H2R||This password is too hard to remember|
|B8T4TG||Bill ate turkey for Thanksgiving|
|IW2KE40T||I want to kiss Ellen 40 times|
|M97KU2MG||My ’97 car uses too much gas|
–Wayne O. Evans
Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. Click here to contact Wayne O. Evans by e-mail.