topic Re: Root password discipline in Operating System - HP-UX

Root password discipline

John Poff — Mon, 13 Jan 2003 19:27:05 GMT

Hi everybody,

I'm curious about how everybody manages the root password discipline in their environment. We all know how important it is to keep the root password secure, but what steps do you take to keep it safe?

How often do you change your root passwords?

Do you keep a different root password for each Unix machine or do you use the same one for multiple machines?

Do you use a machine generated password with lots of upper and lower case letters, numbers, and special characters?

Do you use something that is somewhat easy to remember or are they completely random?

Is your password discipline dictated by company/departmental policy or is it determined by you and your group?

Please don't post any real root passwords! I'm just curious how different people manage the issue. And don't just tell me what you tell the security auditors. Tell me what you *really* do. ;)

JP

Re: Root password discipline

Patrick Wallek — Mon, 13 Jan 2003 19:36:14 GMT

Hi John,

Here's what we are finxing to start doing:

1) Root passwords expire every 90 days (they currently expire at different times, some don't expire)

2) We have 1 password that works on most machines, some machines that other groups require the root password to have different passwords.

3) We do not use machine generate passwords. We generally use regular words, but with numbers in place of some letters. A place I used to work used phrases, where the password was the first letter of each word, or we might use a number for a word in the phrase.

4) Passwords are generally easy to remember, but with 4 - 5 different passwords, well......

5) Our password rules are, I believe, department policy.

Re: Root password discipline

Pete Randall — Mon, 13 Jan 2003 19:39:38 GMT

John,

Since I define the rules and decide when to change the password, it hasn't been changed in quite some time (I probably should, but . . . ). We use an 8 character password make up of random letters - no numbers, no special characters.

Pete

Re: Root password discipline

Ken Hubnik_2 — Mon, 13 Jan 2003 19:45:05 GMT

Those rules sound familiar Patrick. The security police usually sets the rules or auditors will determine what you need to do.

Re: Root password discipline

John Meissner — Mon, 13 Jan 2003 19:50:18 GMT

To answer your question in order:

-We change our root password every 90 days

-We have a different password for every machine. It may only vary by 2 characters from one machine to the next - but each is different

-We generate our own random passwords. We just put some numbers and letters together and call it a password - no dictionary words.

-We generally run a crack program on our /etc/passwd file to test the strength of root/user passwords

-Our passwords aren't really that easy to remember - I've forgotten them before and had to ask another guy in my department

-Our company has a Security team that dictates most of our policies

Re: Root password discipline

A. Clay Stephenson — Mon, 13 Jan 2003 19:53:16 GMT

Typically all the root passwords are the same. I use NIS+ to manage all non-root passwords. My root passwords do not expire automatically but I replace them on 90-day intervals.

My password convention is to choose an obscure astromnomical term or combination of terms and then intentionally misspell it and embed at least one special character. Moreover, mixed-case is always used. I've used this scheme for at least 10+ years and have never repeated a password.

I have been given completely free reign to compose the password composition rules for root and all other users.

As an example,
"ObafgKm!" - believe it or not, except for the Mixed-case and the '!' that would be very, very easy for any astronomer to remember and very diificult for any other admins to remember. The good news is that none of my almins like any of my root passwords.

Re: Root password discipline

Jon Mattatall — Mon, 13 Jan 2003 20:08:51 GMT

Well, you did say the truth....

We change root pw's whenever there is a personnel change OR we've been made to give up the current password to our 3rd level support group (we're second level).

On the machines that only our group uses, the same password is used. Webservers allow the inet group access, so we allow them to set the passwords since we can ssh in and change it at will from another box.

Mix of letters/chars/nums/upper/lower (but not always all of them)

We use either a "h@X0r"ed word or a memorable phrase in general. We've tried random, but people (go figure) wrote the buggers down.

In theory - department policy
In practice - we do what we deem best.

Jon

Re: Root password discipline

paul courry — Mon, 13 Jan 2003 20:46:28 GMT

Tell you our security policy? How we choose passwords?

Shades of Kevin Mitnick!

There are plenty of white papers out there on password security and maintenance, use them.

Give some black hat hacker (who is probably reading this and laughing) a leg up on cracking our system by discussing how we choose passwords and how frequently we change them? No way!

Signed

Paul (yes they are out to hack me) Courry

Re: Root password discipline

John Poff — Mon, 13 Jan 2003 21:38:58 GMT

Paul,

Kevin Mitnick? Easy, big guy.

I'm just trying to get a feel for what the rest of the real world does. White papers? Sure, I've read a bunch of them too. Mostly written by expert consultants who fly in, give a bunch of nice recommendations, collect their money, and fly back out. I want to hear what other people like me are doing about password discipline. People working in the trenches everyday who probably won't have a job if the systems get hacked.

One reason I come here is because I'm listening to people who administer the systems on a daily basis. I tried to make the questions such that they could be answered without giving away too much information about the discipline in your environment. I'm concerned with how often to change them, and how hard to make them. I want them to be reasonably hard to crack, but if I make them too hard and too ugly I'll run into the problem that Jon mentioned where admins start writing them down on notes next to their computer!

Thanks for expressing your opinion, Paul.

Thanks to the rest of you who were obviously brave enough [or foolish enough according to Paul] to respond to my post.

JP

Re: Root password discipline

Steven E. Protter — Mon, 13 Jan 2003 23:00:54 GMT

We follow the 90 day rule.

root and important dba passwords change on this basis. dba passwords are allowed to be the same on multiple machines, since some dba's can't handle it any other way.

we do not allow the root password to be the same on to machines accept:

While building multiple machines, we choose the same root password for each of them. When it goes prod it changes.

We do not set root passwords to expire because an operator might get the prompt, change the password and not bother to tell anyone. That happened here, and I ended up having to go to single user mode to reset it, since the guy FORGOT it too.

We don't let them expire also, so I can pick and choose the change time. I don't change them right before a vacation or conference, since every time we change it, it generates nextel calls and pages for me.

Steve

Re: Root password discipline

Martin Johnson — Mon, 13 Jan 2003 23:04:15 GMT

We, generally, have different system passwords on each system. The password starts with a base word which is modified with numbers and/or special characters. A suffix is added that is a characteristic of the system that will make the password different from the other systems. The passwords are different, but occassionally, the characteristic chosen is the same on more than one system, hence they will have the same password.

We use pseudo root accounts, which are usually disabled, to give outside vendors root access. That way their access doesn't affect our password rollover.

HTH
Marty

Re: Root password discipline

Michael Tully — Mon, 13 Jan 2003 23:10:41 GMT

Hi John,

I think different companies display and try to maintain their own rules. We can only try to improve it or at least make it more flexible.

I change the passwords somewhere in the vicinity of 60-90 days, usually more often when I find something has been created, like a .rhosts file or hosts.equiv that has been created for convenience by someone and then left behind. (I'm not the only SA here.) If a someone leaves their account is automatically disabled and the root passwords on all systems are changed immediately.

We use a 'sudo' and sudo/ssh for our systems in our DMZ.
No system has the same root password. I try to make them not difficult but not so that they are easily remembered. They are stored in a safe place and only known by me and my manager.
Any software instals are detected almost immediately, so no occurances of crack or anything else can easily be introduced.

Cheers
Michael

Re: Root password discipline

David_246 — Tue, 14 Jan 2003 10:37:55 GMT

Hi John,

We use eTrust from CA for this issue. It was recommended by HP itself.
eTrust will allow you to use "sesu" this is a tool that works like su but allows you (and your defined collegues) to become root with your own password. It can generate passwords for you, but you can also type in your own. You set specific rules like the alpha num/num/upper, etc. You can also set the amount of these type of characters are required. Password history/name check, etc can also be set.
You can even specify which user is allowed during what times to login under root/yourid, etc you can set terminals and so on. So you keep your switch-to-root option minimized and secured. Everything is logged. You can also implement this as a kind of secured NIS to propagate new users to the servers you add in the config.

A part from password rules you can also define file protections, process protections, switch-user bit protections, timeframe protections, etc. You can make it very complicated, but you can also choose keep it very simple.

Hope this is of any interest for you.

Regs David`

Re: Root password discipline

BFA6 — Tue, 14 Jan 2003 11:11:48 GMT

Hi,

I have picked a memorable phrase (to me anyway) and have created the password from that, using numbers as well as letters.

The password is generally changed when personnel leave but I am going to start changing it on a 3 monthly basis.

I have also just learned that some servers can't have the password changed as it's used for file transfer purposes - don't like the sound of that.

Regards,

Hilary

Re: Root password discipline

Chris Wilshaw — Tue, 14 Jan 2003 11:54:54 GMT

1) root passwords nominally changed every 3 months, or less if a member of staff knowing the root password leaves in that time. The 3 months will be effectively reset if it is changed part way through, and we have had occasions where it's been left longer (if for example someone was known to be leaving a week or so after the change was due, it's delayed so that we don't have 2 changes in quick succession)

2) we have a root ID, and a root equivalent ID on each machine (root only used in emergencies such as when some [is it fair to use the word idiot??] person changes the other password, and doesn't tell anyone else what it is. The passwords also vary between live machines on the local LAN, test machines (we allow some people root access on the test systems that we don't let loose on the live ones), and those which can connect to the internet.

3) manually determined passwords, mix of all available characters (not always using a number AND special character)

4) passwords normally based on the initial letters of a phrase, most often randomly thought up by me, so that they don't have a personal/business specific link that can be more easily guessed at.

eg:

t1arpk!s (this 1s a root password, keep !t secret)

[don't worry, it's not a real one that I've ever used, or ever will]

The difficulty is normally in the trade-off between easy to remember, or risk having people write it down somewhere. I try to go for one that is tricky to remember, but once learned can be typed quickly (I'm sure we all have those people around that try to read passwords over your shoulder)

5) we have an official policy that we have an input to. As the root password is only known within our department, and we also police the logs for any attempts at mis-use, we have a fairly free hand in how we apply it.

Unless the situation is absolutely critical (all comms severed to a building which is on fire, and the server needs to be shut down and moved out - don't laugh, it can happen), the root passwords are never passed to anyone else (and if they have to be, they're changed ASAP) - if we have an HP engineer who needs access, we change the password for them, and then change it back on completion of their work.

Re: Root password discipline

Trond Haugen — Tue, 14 Jan 2003 12:11:16 GMT

In addition to what is already mentioned I would generally advise to use passwords that can be easily remembered. If not you can usually crack it by turning the keyboard or opening the top drawer. :-}

Regards,
Trond

Re: Root password discipline

Mike Fisher_3 — Tue, 14 Jan 2003 12:30:14 GMT

A. Clay:
You spectral types !
Odd Brown Aliens Fly Great Killing Machines

John:
We use Mnemonics generated by patterns of the users' choosing

Random passwords are pain with no gain

Regards
Mike "singularity" Fisher

Re: Root password discipline

Chuck J — Tue, 14 Jan 2003 13:00:29 GMT

Hi JP

How often do you change your root passwords?
* To be honest there is no set time, we haven't done it in a while now.

Do you keep a different root password for each Unix machine or do you use the same one for multiple machines?
* Yes, they are different but some characters are the same whilst other characters are dervied using a basic encryption technique (that admins can work out in their heads) relating the the name of the machine

Do you use a machine generated password with lots of upper and lower case letters, numbers, and special characters?
* Not machine generated, yes a combintation of everything you mentioned

Do you use something that is somewhat easy to remember or are they completely random?
* No it's not random due to the number of servers we have.

Is your password discipline dictated by company/departmental policy or is it determined by you and your group?
* It is determined by my group not the company as there are too many IT sections within the whole of IT.

Chuck J

Re: Root password discipline

V. Nyga — Tue, 14 Jan 2003 13:03:30 GMT

Hi John,

I'm the only SA at my company for UX and we have no company policy.
I have to deposit my password during my holidays and so I thought I change it after every holidays but I haven't done this last year.
Passwords from server and clients are equal.
For my root password I use any keys from the keyboard.
I'm annotete this letters and numbers once and change it at every workstation (30 times).
So I have it in my memory.

Volkmar

Re: Root password discipline

harry d brown jr — Tue, 14 Jan 2003 13:33:02 GMT

I make my root passwords equal to the machine name, but then again my machines are just R&D machines anyways. If you toast them you own them :-) I don't even make backups of the damn things :-) SERIOUSLY!

We have about 15 SA's and around 400+ HPux servers, and most of them don't use the root password , they use a "special" normal account that allows them to become root (through su). All of our machines are behind lock and key, computer rooms have camera's, and security guards (fortunately without any weapons!).

We actually have a security group of about 6 people that decides when the passwords get changed. Different "groups" of servers have different root passwords. If anyone is fired or resigns, the passwords are changed immediately. Too many excessive login attempts will cause root to be disabled - one thing to look for.

live free or die
harry