digg

Facebook Connect Join Digg About

Enable password aging on Linux systems

articles.techrepublic.com.com Password aging is a mechanism that allows the system to enforce a certain lifetime for passwords. While this may be moderately inconvenient for users, it ensures that passwords are changed occasionally, which is a good security practice. Most Linux distributions do not enable password aging by default, but it's very easy to enable.

Who dugg this? Made popular Sep 13, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

41 Comments

show profanity settings
expand all
  • ChanEilFhios, on 10/12/2007, -0/+35Password aging is a horrible idea. It causes users to use less secure passwords and to store them on sticky notes on or around their computer. It is not helpful in maintaining security. The example used in the article of preventing a laid off employee from coming back in 3 months is ridiculous. Their account must be disabled on the day they leave. Otherwise, they could come back...oh, maybe, tomorrow! What good does two months get you then?
  • inactive, on 10/12/2007, -0/+11Definitely in agreement. A better policy is to enforce rules for good passwords, not passwords that expire every so often. That means numbers, letters, non-alphanumeric characters, and nothing under 10 characters. A little anal, but better than having a new iteration of someone's favorite color every month.
  • Araxen, on 10/12/2007, -1/+11Password aging is horrible. All it does is promote simple passwords as people get sick of memorizing passwords.
  • MaddDog, on 10/12/2007, -0/+6There have been studies (by the BBC) that have shown that a large percentage of employees will trade their work password for a chocolate bar, and that half of those would even give up their work password for nothing. Employee satisfaction is far more important than computer passwords, because a pissed off employee is one that will tell all of your company secrets. And requiring an employee to change his password every 2 weeks is not a good way to keep them happy.
  • catoutfit, on 10/12/2007, -1/+7Your wife has a tail? she must be a mutant.

    tale* ;)
  • CoolWind, on 10/12/2007, -0/+6I've never understood this idea that "new" passwords are better than "old" ones.
  • xutopia, on 10/12/2007, -0/+6I hate aging passwords as I hate not being able to change my password myself. I end up having to write them down. Like right now I have a tomboy note with 12 passwords for different systems. It's open right here on my screen whenever I have to log on to those machines.

    Of course no one can see my monitor and I lock it when I get up. Still though if passwords were simpler I'd not have to do this kind of stuff.
  • edmack, on 10/12/2007, -1/+7So many password `good practices' are simply old wives tails. I dig @ChanEilFhios
  • roosterjm2k2, on 10/12/2007, -0/+5I think everyone aggrees. Everyone intelligent that is. The problem is, the unitelligent bosses read ***** like this and tell their IT guys to do it.

    Its a BAD BAD BAD idea. I asked around at the last company I worked for, I asked probably 50 people, and everyone of them said the same thing.

    You start with X password, lets say "p4ssw0rd" ... oops, it expired, "p4ssw0rd1" good, then "p4ssw0rd2", "p4ssw0rd3" and so on. Not much security there. I was actually thinking of my pasword when i was filling out an application "how long have i been here, well, my passwors is xxxx18, and the pass changes every month...so 18 months, easy enough.

    Then if they do checks on the password to make sure you are actually changing it each time, the week after the change they answer 1000 calls about resetting forgotten password.
  • enkoopa, on 10/12/2007, -3/+8Agreed.

    Our work passwords age every 4 months. I just suffix the password with a single digit number, and increment it every 4 months, and wrap around when I hit 9.

    Another system at work has a GENIOUS password policy : you have to use a combination of Vowels and Consonants in the form of CVCCVC. Needless to say, brute forcing is made very difficult from that genious policy.

    My home server (passwords last forever) has lowercase, uppercase, numbers and special characters and is like 13 characters long.

    The only reason I could see ageing being useful is if you need extremely high security, and there is a chance for someone to catch your password (public place?). If that's the case you should be using one of those key-chain RSA number generators that change every 10 seconds in addition to a password.
  • bluenova, on 10/12/2007, -0/+5I agree. Our Windows LAN at work forces a password change every month, and you can't use any of your last 10 passwords. Very stupid, because it means people leave there passwords on sticky notes everywhere. I think this is probably why there is no GUI option to set this, because it's just plain silly.
  • Waylander, on 10/12/2007, -0/+5woxidu, I believe enkoopa was being sarcastic when he used the word "genious".
  • cajunman4life, on 10/12/2007, -0/+3I'm all in favor of the RSA SecurID. 6 digits that change every minute, in combination with a 4 character pin. The only downfall to this is if someone gets access to your SecurID token, and you use your birthday as your pin... but who does that? :)
  • woxidu, on 10/12/2007, -1/+4@enkoopa

    That sounds incredibly insecure. If Brute Force knows about that policy, it just has to run through every combination of CVCCVC. There are staggeringly fewer of these than there are in the form XXXXXX where X can be anything. True security means that you can't know alot about the secret without a prohibitive amount of work. With this, I already know far more than I knew about other people's passwords (assuming those people were using secure passwords).
  • Gary13579, on 10/12/2007, -0/+3The concept seems good, but in reality isn't. The only way this would make it more "secure" is if your box was literally used by a hacker to dump the pass files and are brute forcing them on another PC, or you are running some services (ssh, mysql, etc).
    For some things, this is just plain annoying. MySQL, everytime the password is changed you need to update every script that uses that specific username everytime the password is changed.

    Also a good password that you stick with is much better then changing the password to short, easy to remember ones. Use at least 10 alpha-numeric case sensitive password and you should be good... Just use a different password for everything; one for paypal, one for online banking, one for the ssh to your box, etc.
  • Khaine, on 10/12/2007, -0/+3Ummm why don't you just boot in using 'linux single' http://aplawrence.com/Linux/lostlinuxpassword.html and reset the password ? or grab a livecd and chroot in and delete the shadow file ? seems to me like it would be faster
  • Whitey04, on 10/12/2007, -0/+3If your password is cracked, its cracked. In most instances if somebody has your password for 6months vs. forever there is no real difference. And the added problem of changing your password to something similar when it expires gives you no added benefit.

    It is an old wife's tale: It is as likely your password will be brute forced as any other.
  • catoutfit, on 10/12/2007, -0/+3jgtg32a

    so if you think my password is just:

    thisismypassword

    it is less secure if it it becomes

    a number generated by an algorithm then thisismypassword then a number generated based on an algorithm.

    by the time a brute force has reached the point of the password that it was when you started the attack it may have changed to a password it has already checked and this been disregarded as an incorrect password.

    Oh and I'm guessing you don't know what Security by Obscurity actually means..Which is in fact no bad thing, there is a strong dichotomy among security experts as to weather its a bad idea or not.

    "If anyone knows that algorithm then that part becomes meaningless on a brute force."

    and also you would set the algorithm yourself...on a per password basis i might chose

    d*m+(thisismypassword)+y-d

    for example
  • nx01, on 10/12/2007, -0/+3Let's see, after 10 years in IT, I've learned that people will write down their passwords irregardless if you force a change or not. They will give them to you on command because they have no idea what you can use them for. Give them an RSA key, and they'll lose them.

    As an added bonus, those of us in IT departments of publicly traded companies get to do battle with Sarbanes-Oxley (SOX). SOX likes password expirations.

    The only way to get them to use a secure method of authentication, is for them to use biometric. Unless someone forgets their finger at home (and who hasn't), it's secure, and they don't forget it.

    Fool proof? No. But better than most.
  • diecastbeatdown, on 10/12/2007, -0/+3these are cool. just need to re-sync every once in a while but a great thing. i use them and love it.
  • iamnos, on 10/12/2007, -0/+2The problem is, people who are forced to change their passwords will typically just change a number at the beginning or end of their password. So say, I grab your password file and run a crack on it. 6 months later, I learn that Susie Q's password was password3. I'm going to quickly guess that her current password is something along the lines of password5, password6, or similar.
  • gcauthon, on 10/12/2007, -0/+2That's why admins should also limit how soon a user can change their password again. If there's no time gap enforced, then there's really no point in enabling password history or forcing password changes at all.
  • joelito, on 10/12/2007, -0/+2On debian, you are asked for the root password when trying to boot into single mode.
  • omicronpersei8, on 10/12/2007, -0/+2add this to your kernel options from your bootloader: init=/bin/bash

    you will be dropped into a root shell, type:
    mount none -t proc /proc
    mount -o remount,rw /
    passwd root
    mount -o remount,ro /
    sync
    ctrl-alt-del


  • gcauthon, on 10/12/2007, -0/+2I don't know how employees continue to get away with this behavior. Someone gets caught playing solitaire on their computer and they're fired. But it's ok to circumvent security and lose valuable equipment?

    As soon as companies start firing people for this stuff then it will quickly stop being a problem. It's a copout to expect IT to bend over backwards keeping these fools in line. Who's paying who here?
  • diecastbeatdown, on 10/12/2007, -0/+2single-sign-on ldap kerberos pam. look into these keywords and your life will be happy. oh, and of course for all ssh use key files only.

    all password aging, changing and etc will be done through ldap - or open directory if you are using apple. now you can tie that authentication into everything that accepts it. your websites, ssh servers, your mail.
  • catoutfit, on 10/12/2007, -1/+2I've always had this idea of a password based on an algorithm...

    a basic example might be..

    a phrase then the (day of the week*the day of the month)

    today:

    3(wednesday)*13 =39

    which would become:

    thisismypassword39

    obviously you could make it has complex as you like.
  • myfanwy, on 10/12/2007, -0/+1....ugh, utterly pointless. regular password changing doesn't achieve anything - the number of times i've seen people use the same password next month, but with the month number appended. choose a good, long password, follow other (useful) security procedures like only giving users the access they need, only installing trusted software, keeping security patches up to date...there are a thousand things more effective than this
  • dbr_onix, on 10/12/2007, -0/+1Password aging isn't good, people will end up writing passwords down, or using weak passwords so they don't have to keep memorizing new ones. There are better ways of doing it.. For remote access, public/private keypairs are probably the best way. For local logins (I.e not though SSH), I use PAM_USB, which basicly stores a public key on a USB drive (or a CD/floppy disc etc), and uses that to login. You can set it up so HAVE to use the key file to login, or either the key, or password, or you HAVE to have both to login. I use it on my server mainly to remove any abilty to login as root remotely (Either via sudo/su, or brute-forcing, and it saves having to remeber a long passphrase for the root account)
    Remeber, even if your passwords are strong, and change every week or two, that doesn't stop remote exploits working, and they're probably a far bigger risk. Obviously if you've locked everything remote down, and your a big-ish company then some k ind of protection on passwords would be a good idea..
    Another way that might work, every few months, run a brute-force attack against the passwords of your employees, any that are broken easily, show them their passwords, hopefully that will promt them to use better passwords in the future..
    - Ben
  • Dimensio, on 10/12/2007, -1/+2Who had the idea that Linux systems do not support password aging by default? The passwd command, included with every distro that I have seen, has supported it for as long as I can remember.
  • mta3d, on 10/12/2007, -1/+2i think nearly all of you missed the point. while i think on balance i dont like password aging, it does have merits - the real reason for it is that if someone finds out your password (sees you type it or something) at some point in the future they are going to lose access to your account. rather than possibly indefinite use of it.

  • Ludwig, on 10/12/2007, -0/+1I just change my password 3 or 4 times in a row. from 1212 to 1313 to 1414 and back to 1212 again.

    Actual password security smells like a bad fart to management. They'll have none of it.
  • Snaffler, on 10/12/2007, -0/+1I don't need a password aging policy. I just loaded Debian on a test machine two days ago and I already forgot the root password. So, now its fdisk time.
  • diecastbeatdown, on 10/12/2007, -1/+1wrong.
  • Lycander, on 10/12/2007, -2/+2I think it's more important for servers to change passwords regularly. Aging passwords makes sense AFTER the password has been compromised. Plus if an admin leaves a job, their knowledge of passwords won't come back to bite the company.

    Otherwise, like everyone else is saying: aging passwords for clients is annoying.
  • pceriotti, on 03/20/2009, -0/+0I think you're missing the point here.
    Password aging protects the system agains the scenario where an attacker gets to steal the encryptes passwords file (/etc/shadow for example). The attacker will need to crack it, so they're going to try to use a dictionary or brute force attack. If your system enforces decent password policies, it will take quite a bit of time to get any result. That's when password aging comes in. The objective of password aging is to have the passwords changed by the time it would take an attacker to crack the encrypted passwords.
    I agree thought that just implementing password aging withouth any other consideration is only an inconvenience to the legit users.
    Besides, password aging should be implemented with policies that check that the new password sufficiently differs from the old one.
  • abuser, on 10/12/2007, -0/+0This is annoying.

    1. When prompted to change your password, change the password to some new password
    2. Now log-out and log in and change your password back to the original password
  • Khaine, on 10/12/2007, -0/+0But that is an issue with your password policy. Not with the idea of password ageing. I am going to concede that for most places it is silly. But just because people cannot properly perform risk management and determine a correct password policy for their workplace is no reason to dismiss this as hogwash. It has its place, and its limitations.
  • Khaine, on 10/12/2007, -1/+0Password aging is supposed to help prevent brute-forcing. Lets say it takes you on average six months to crack one password using the current policy of 13 characters non dictionary words etc. If they include that every three months you must change your password. This makes the brute-forcing a waste of time, as you can't determine what the password is during its life, and outside its life knowledge of the password is worthless.
  • jgtg32a, on 10/12/2007, -3/+1That's security by obscurity, big no no.

    If anyone knows that algorithm then that part becomes meaningless on a brute force.
  • Anchoret, on 10/12/2007, -7/+4Yes, the idea is imbecilic, plus the link is subscription-blocked.

    Goes to prove ANY idiocy with the magic word, "LINUX" in the title will get to the front page thanks to the fanboys.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.