Best Practices for Password Management

Post date: Oct 10, 2012 2:17:43 PM

Best practices for creating and managing user passwords within an organization.

1.Root Password

The security of the entire system depends on the strength of the root password. This password should be at least 12 characters long and include a mix of capitalized letters, lowercase letters, special characters, and numbers. It should not be based on any dictionary word.

2.Set Password Expiration Parameters

Edit the file /etc/login.defs to specify password expiration settings for new accounts. Add or correct the following lines:

PASS_MAX_DAYS 60 — Sets the password to expire after 60 days.

PASS_MIN_DAYS 1 — Enforces a 1 day minimum time between password resets.

PASS_MIN_LEN 14 — Enforces a minimum password length of 14.

PASS_WARN_AGE 7 — Delivers a password expiration warning 7 days before the max_days.

For each existing user account, modify the current expiration settings to match the policy:

# chage -M 60 -m 7 -W 7 {username}

3.Remove Password Parameters from libuser.conf

Ensure the following line exists within the file /etc/libuser.conf under the [import] section.

login_defs = /etc/login.defs

Ensure no lines in the [userdefaults] section begin with the following text, as these words override settings from /etc/login.defs:

LU_SHADOWMAX

LU_SHADOWMIN

LU_SHADOWWARNING

4.Remove Legacy '+' Entries from Password Files

Ensure the following command does not produce any output. Any accounts produced by running this command should be locked.

grep "^+:" /etc/passwd /etc/shadow /etc/group