[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
password requirements
I've tried to capture the earlier discussion on password requirements.
See if you think this gets it. Dan and Neal, you will recognize some
of the wording :-)
---George
2.12.9 No Default Static Authentication Tokens (Passwords) . . . 45
2.12.10 Static Authentication Tokens (Passwords) Must Be
Configured . . . . . . . . . . . . . . . . . . . . . . . . 45
2.12.11 Enforce Selection of Strong Local Static
Authentication Tokens (Passwords) . . . . . . . . . . . . 46
.
.
.
2.12.9 No Default Static Authentication Tokens (Passwords)
Requirement. The initial configuration of the device MUST NOT contain
any default passwords or similar static authentication tokens.
"Similar static authentication tokens" includes any form of shared
secret, public or private key.
Justification. Default passwords provide an easy way for attackers to
gain unauthorized access to the device.
Examples. Passwords such as the name of the vendor, device, "default"
etc. are easily guessed. The SNMP community strings "public" and
"private" are well known defaults that provide read and write
access to devices.
Warnings. Lists of default passwords for various devices are readily
available at numerous websites.
2.12.10 Static Authentication Tokens (Passwords) Must Be Configured
Jones, Editor Expires February 5, 2004 [Page 45]
Internet-Draft Operational Security Requirements August 2003
Requirement. The device MUST require the operator to explicitly
configure passwords and similar static authentication tokens.
"Similar authentication tokens" includes any form of shared
secret, public or private key.
Justification. This requirement is intended to prevent unauthorized
management access. Requiring the operator to explicitly configure
passwords will tend to have the effect of ensuring a diversity of
passwords. It also shifts the responsibility for password
selection to the user.
Examples. Assume that a device comes with console port for management
and a default administrative account. This requirement together
with No Default Static Authentication Tokens (Passwords) says that
the administrative account should come with no password
configured. One way of meeting this requirement would be to have
the device require the operator to choose a password for the
administrative account as part of a dialog the first time the
device is configured.
Warnings. While this device requires operators to set passwords, it
does not prevent them from doing things such as using scripts to
configure 100s of devices with the same easily guessed passwords.
2.12.11 Enforce Selection of Strong Local Static Authentication Tokens
(Passwords)
Requirement. Strength checks for static passwords fall into three
types:
1. computational checks against the password itself (length,
character set, upper/lower case)
2. comparison checks against static data sets (dictionary tests)
3. comparison checks against dynamic data sets (history checks,
username tests)
The device MUST support at least computational checks with the
following minimum requirements: The password MUST be at least [6]
characters long and MUST contain at least [3] of the following
elements
The device MAY enforce the selection of "strong" local passwords
through comparison checks against dynamic and/or static data sets.
p
Jones, Editor Expires February 5, 2004 [Page 46]
Internet-Draft Operational Security Requirements August 2003
Justification. Trivial passwords are easily guessed, increasing the
likelihood of unauthorized access.
Examples. An initial configuration dialog may require the user to set
a password to control initial access. If the user enters a
password that is not strong (e.g. "123") then the configuration
dialog should inform the user that the chosen password is weak and
provide another opportunity to select a strong password.
Warnings.
George M. Jones, | Spam is to email as decay particles are
JAPH | to nuclear waste.
gmj@pobox.com |