DCA Security FAQ‎ > ‎

Best Practices for Password Management

posted Oct 10, 2012, 7:17 AM by Sachchida Ojha
Best practices for creating and managing user passwords within an organization.

1.Root Password
The security of the entire system depends on the strength of the root password. This password should be at least 12 characters long and include a mix of capitalized letters, lowercase letters, special characters, and numbers. It should not be based on any dictionary word.

2.Set Password Expiration Parameters
Edit the file /etc/login.defs to specify password expiration settings for new accounts. Add or correct the following lines:
PASS_MAX_DAYS 60 — Sets the password to expire after 60 days.
PASS_MIN_DAYS 1 — Enforces a 1 day minimum time between password resets.
PASS_MIN_LEN 14 — Enforces a minimum password length of 14.
PASS_WARN_AGE 7 — Delivers a password expiration warning 7 days before the max_days.
For each existing user account, modify the current expiration settings to match the policy:
# chage -M 60 -m 7 -W 7 {username}

3.Remove Password Parameters from libuser.conf
Ensure the following line exists within the file /etc/libuser.conf under the [import] section.
login_defs = /etc/login.defs
Ensure no lines in the [userdefaults] section begin with the following text, as these words override settings from /etc/login.defs:
LU_SHADOWMAX
LU_SHADOWMIN
LU_SHADOWWARNING

4.Remove Legacy '+' Entries from Password Files
Ensure the following command does not produce any output. Any accounts produced by running this command should be locked.
grep "^+:" /etc/passwd /etc/shadow /etc/group
Comments