Guessed Account Password
CAN 1999-0501
CAN 1999-0502
CAN 1999-0503
CAN 1999-0504
CAN 1999-0505
CAN 1999-0506
Impact
An attacker who is able to guess the password to a user account
could gain shell access to the system with the privileges of the user.
From there it is often trivial to gain complete control of the system.
Background
Passwords are the most commonly used method of authenticating users
to a server. The combination of a login name and password is used
to verify the identity of a user requesting access, and to determine
what parts of the server the user has permission to access.
The Problem
Administrators often set up new user accounts with no password or with
a default password which is easy to guess. Additionally, some users may
choose a simple password which is easy to remember. Null passwords and
passwords that are very similar to the login name are an easy way for
attackers to gain access to the system.
Resolution
Protect all accounts with a password that cannot be guessed. Require
users to choose passwords which are eight charactes long, including
numeric and non-alphanumeric characters, and which are not based on
the login name or any other personal information about the user. Enforce
this policy using a utility such as
npasswd
in place of the default UNIX passwd program. Check the
strength of all account passwords periodically using a password
cracking utility such as
Crack for Unix or L0phtcrack
for Windows.
Where can I read more about this?
Walter Belgers' paper,
UNIX password security, is a good reference on strengthening passwords.