Root password discipline

John Poff · ‎01-13-2003

Hi everybody,

I'm curious about how everybody manages the root password discipline in their environment. We all know how important it is to keep the root password secure, but what steps do you take to keep it safe?

How often do you change your root passwords?

Do you keep a different root password for each Unix machine or do you use the same one for multiple machines?

Do you use a machine generated password with lots of upper and lower case letters, numbers, and special characters?

Do you use something that is somewhat easy to remember or are they completely random?

Is your password discipline dictated by company/departmental policy or is it determined by you and your group?

Please don't post any real root passwords! I'm just curious how different people manage the issue. And don't just tell me what you tell the security auditors. Tell me what you *really* do. ;)

JP

Patrick Wallek · ‎01-13-2003

Hi John,

Here's what we are finxing to start doing:

1) Root passwords expire every 90 days (they currently expire at different times, some don't expire)

2) We have 1 password that works on most machines, some machines that other groups require the root password to have different passwords.

3) We do not use machine generate passwords. We generally use regular words, but with numbers in place of some letters. A place I used to work used phrases, where the password was the first letter of each word, or we might use a number for a word in the phrase.

4) Passwords are generally easy to remember, but with 4 - 5 different passwords, well......

5) Our password rules are, I believe, department policy.

Pete Randall · ‎01-13-2003

John,

Since I define the rules and decide when to change the password, it hasn't been changed in quite some time (I probably should, but . . . ). We use an 8 character password make up of random letters - no numbers, no special characters.

Pete

Pete

Ken Hubnik_2 · ‎01-13-2003

Those rules sound familiar Patrick. The security police usually sets the rules or auditors will determine what you need to do.

John Meissner · ‎01-13-2003

To answer your question in order:

-We change our root password every 90 days

-We have a different password for every machine. It may only vary by 2 characters from one machine to the next - but each is different

-We generate our own random passwords. We just put some numbers and letters together and call it a password - no dictionary words.

-We generally run a crack program on our /etc/passwd file to test the strength of root/user passwords

-Our passwords aren't really that easy to remember - I've forgotten them before and had to ask another guy in my department

-Our company has a Security team that dictates most of our policies

All paths lead to destiny

A. Clay Stephenson · ‎01-13-2003

Typically all the root passwords are the same. I use NIS+ to manage all non-root passwords. My root passwords do not expire automatically but I replace them on 90-day intervals.

My password convention is to choose an obscure astromnomical term or combination of terms and then intentionally misspell it and embed at least one special character. Moreover, mixed-case is always used. I've used this scheme for at least 10+ years and have never repeated a password.

I have been given completely free reign to compose the password composition rules for root and all other users.

As an example,
"ObafgKm!" - believe it or not, except for the Mixed-case and the '!' that would be very, very easy for any astronomer to remember and very diificult for any other admins to remember. The good news is that none of my almins like any of my root passwords.

If it ain't broke, I can fix that.

Jon Mattatall · ‎01-13-2003

Well, you did say the truth....

We change root pw's whenever there is a personnel change OR we've been made to give up the current password to our 3rd level support group (we're second level).

On the machines that only our group uses, the same password is used. Webservers allow the inet group access, so we allow them to set the passwords since we can ssh in and change it at will from another box.

Mix of letters/chars/nums/upper/lower (but not always all of them)

We use either a "h@X0r"ed word or a memorable phrase in general. We've tried random, but people (go figure) wrote the buggers down.

In theory - department policy
In practice - we do what we deem best.

Jon

A little knowledge is dangerous - none is absolutely terrifying!!!

paul courry · ‎01-13-2003

Tell you our security policy? How we choose passwords?

Shades of Kevin Mitnick!

There are plenty of white papers out there on password security and maintenance, use them.

Give some black hat hacker (who is probably reading this and laughing) a leg up on cracking our system by discussing how we choose passwords and how frequently we change them? No way!

Signed

Paul (yes they are out to hack me) Courry

John Poff · ‎01-13-2003

Paul,

Kevin Mitnick? Easy, big guy.

I'm just trying to get a feel for what the rest of the real world does. White papers? Sure, I've read a bunch of them too. Mostly written by expert consultants who fly in, give a bunch of nice recommendations, collect their money, and fly back out. I want to hear what other people like me are doing about password discipline. People working in the trenches everyday who probably won't have a job if the systems get hacked.

One reason I come here is because I'm listening to people who administer the systems on a daily basis. I tried to make the questions such that they could be answered without giving away too much information about the discipline in your environment. I'm concerned with how often to change them, and how hard to make them. I want them to be reasonably hard to crack, but if I make them too hard and too ugly I'll run into the problem that Jon mentioned where admins start writing them down on notes next to their computer!

Thanks for expressing your opinion, Paul.

Thanks to the rest of you who were obviously brave enough [or foolish enough according to Paul] to respond to my post.

JP

Steven E. Protter · ‎01-13-2003

We follow the 90 day rule.

root and important dba passwords change on this basis. dba passwords are allowed to be the same on multiple machines, since some dba's can't handle it any other way.

we do not allow the root password to be the same on to machines accept:

While building multiple machines, we choose the same root password for each of them. When it goes prod it changes.

We do not set root passwords to expire because an operator might get the prompt, change the password and not bother to tell anyone. That happened here, and I ended up having to go to single user mode to reset it, since the guy FORGOT it too.

We don't let them expire also, so I can pick and choose the change time. I don't change them right before a vacation or conference, since every time we change it, it generates nextel calls and pages for me.

Steve

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Martin Johnson · ‎01-13-2003

We, generally, have different system passwords on each system. The password starts with a base word which is modified with numbers and/or special characters. A suffix is added that is a characteristic of the system that will make the password different from the other systems. The passwords are different, but occassionally, the characteristic chosen is the same on more than one system, hence they will have the same password.

We use pseudo root accounts, which are usually disabled, to give outside vendors root access. That way their access doesn't affect our password rollover.

HTH
Marty

Michael Tully · ‎01-13-2003

Hi John,

I think different companies display and try to maintain their own rules. We can only try to improve it or at least make it more flexible.

I change the passwords somewhere in the vicinity of 60-90 days, usually more often when I find something has been created, like a .rhosts file or hosts.equiv that has been created for convenience by someone and then left behind. (I'm not the only SA here.) If a someone leaves their account is automatically disabled and the root passwords on all systems are changed immediately.

We use a 'sudo' and sudo/ssh for our systems in our DMZ.
No system has the same root password. I try to make them not difficult but not so that they are easily remembered. They are stored in a safe place and only known by me and my manager.
Any software instals are detected almost immediately, so no occurances of crack or anything else can easily be introduced.

Cheers
Michael

Anyone for a Mutiny ?

David_246 · ‎01-14-2003

Hi John,

We use eTrust from CA for this issue. It was recommended by HP itself.
eTrust will allow you to use "sesu" this is a tool that works like su but allows you (and your defined collegues) to become root with your own password. It can generate passwords for you, but you can also type in your own. You set specific rules like the alpha num/num/upper, etc. You can also set the amount of these type of characters are required. Password history/name check, etc can also be set.
You can even specify which user is allowed during what times to login under root/yourid, etc you can set terminals and so on. So you keep your switch-to-root option minimized and secured. Everything is logged. You can also implement this as a kind of secured NIS to propagate new users to the servers you add in the config.

A part from password rules you can also define file protections, process protections, switch-user bit protections, timeframe protections, etc. You can make it very complicated, but you can also choose keep it very simple.

Hope this is of any interest for you.

Regs David`

@yourservice

BFA6 · ‎01-14-2003

Hi,

I have picked a memorable phrase (to me anyway) and have created the password from that, using numbers as well as letters.

The password is generally changed when personnel leave but I am going to start changing it on a 3 monthly basis.

I have also just learned that some servers can't have the password changed as it's used for file transfer purposes - don't like the sound of that.

Regards,

Hilary

Chris Wilshaw · ‎01-14-2003

1) root passwords nominally changed every 3 months, or less if a member of staff knowing the root password leaves in that time. The 3 months will be effectively reset if it is changed part way through, and we have had occasions where it's been left longer (if for example someone was known to be leaving a week or so after the change was due, it's delayed so that we don't have 2 changes in quick succession)

2) we have a root ID, and a root equivalent ID on each machine (root only used in emergencies such as when some [is it fair to use the word idiot??] person changes the other password, and doesn't tell anyone else what it is. The passwords also vary between live machines on the local LAN, test machines (we allow some people root access on the test systems that we don't let loose on the live ones), and those which can connect to the internet.

3) manually determined passwords, mix of all available characters (not always using a number AND special character)

4) passwords normally based on the initial letters of a phrase, most often randomly thought up by me, so that they don't have a personal/business specific link that can be more easily guessed at.

eg:

t1arpk!s (this 1s a root password, keep !t secret)

[don't worry, it's not a real one that I've ever used, or ever will]

The difficulty is normally in the trade-off between easy to remember, or risk having people write it down somewhere. I try to go for one that is tricky to remember, but once learned can be typed quickly (I'm sure we all have those people around that try to read passwords over your shoulder)

5) we have an official policy that we have an input to. As the root password is only known within our department, and we also police the logs for any attempts at mis-use, we have a fairly free hand in how we apply it.

Unless the situation is absolutely critical (all comms severed to a building which is on fire, and the server needs to be shut down and moved out - don't laugh, it can happen), the root passwords are never passed to anyone else (and if they have to be, they're changed ASAP) - if we have an HP engineer who needs access, we change the password for them, and then change it back on completion of their work.

Trond Haugen · ‎01-14-2003

In addition to what is already mentioned I would generally advise to use passwords that can be easily remembered. If not you can usually crack it by turning the keyboard or opening the top drawer. :-}

Regards,
Trond

Regards,
Trond Haugen
LinkedIn

Mike Fisher_3 · ‎01-14-2003

A. Clay:
You spectral types !
Odd Brown Aliens Fly Great Killing Machines

John:
We use Mnemonics generated by patterns of the users' choosing

Random passwords are pain with no gain

Regards
Mike "singularity" Fisher

The best things in life aren't things

Chuck J · ‎01-14-2003

Hi JP

How often do you change your root passwords?
* To be honest there is no set time, we haven't done it in a while now.

Do you keep a different root password for each Unix machine or do you use the same one for multiple machines?
* Yes, they are different but some characters are the same whilst other characters are dervied using a basic encryption technique (that admins can work out in their heads) relating the the name of the machine

Do you use a machine generated password with lots of upper and lower case letters, numbers, and special characters?
* Not machine generated, yes a combintation of everything you mentioned

Do you use something that is somewhat easy to remember or are they completely random?
* No it's not random due to the number of servers we have.

Is your password discipline dictated by company/departmental policy or is it determined by you and your group?
* It is determined by my group not the company as there are too many IT sections within the whole of IT.

Chuck J

V. Nyga · ‎01-14-2003

Hi John,

I'm the only SA at my company for UX and we have no company policy.
I have to deposit my password during my holidays and so I thought I change it after every holidays but I haven't done this last year.
Passwords from server and clients are equal.
For my root password I use any keys from the keyboard.
I'm annotete this letters and numbers once and change it at every workstation (30 times).
So I have it in my memory.

Volkmar

*** Say 'Thanks' with Kudos ***

harry d brown jr · ‎01-14-2003

I make my root passwords equal to the machine name, but then again my machines are just R&D machines anyways. If you toast them you own them :-) I don't even make backups of the damn things :-) SERIOUSLY!

We have about 15 SA's and around 400+ HPux servers, and most of them don't use the root password , they use a "special" normal account that allows them to become root (through su). All of our machines are behind lock and key, computer rooms have camera's, and security guards (fortunately without any weapons!).

We actually have a security group of about 6 people that decides when the passwords get changed. Different "groups" of servers have different root passwords. If anyone is fired or resigns, the passwords are changed immediately. Too many excessive login attempts will cause root to be disabled - one thing to look for.

live free or die
harry

Live Free or Die

Richard Darling · ‎01-14-2003

I change root passwords every 3 months and use the same password for multiple machines.

The password is composed of a mixture of uppper & lower case letters, numbers and special characters. It isn't any actual word, nor completely random; but is done in a way that can be remembered.

The password policy is dictated by me.

Robert-Jan Goossens · ‎01-14-2003

Hi John,

twice a year, not on special dates.

all servers have the same passwd

the passwd is made from upper/lower case letters numbers and specail characters in such way that it is possible to remember.

The unix group is responsible to change the passwd.

the only way to become root directly is on the console, su - root can only be done by a special group, members off this group are sysadmin's.

Robert-Jan.

W.C. Epperson · ‎01-14-2003

All of our actual "root" passwords are escrowed with me (Chief Systems Engineer) by the server's primary SA, in sealed envelopes and vaulted. Each Unix sysadmin has an individual uid 0 account on each box (s)he's responsible for, so when someone leaves, we just disable the account unless their signature is on a root envelope, in which case we also change root for that box. Our security standards call for password changes every sixty days, and do contain some guidance on construction of passwords. Each sysadmin is responsible for managing passwords on the personal uid 0 accounts, and the primary also manages the real root account.

"I have great faith in fools; self-confidence, my friends call it." --Poe

John Payne_2 · ‎01-14-2003

You want a cart before the horse story? I'll give you a cart before the horse story...

A few of years ago, the SA's shared the root password with the operations staff so they could fix the easy stuff without having to call at night. (I was an operations shift supervisor then.) Operations grew bigger and eventually took control of root password. (I have not been in operations for 3 years, btw. I saw the light and became a systems admin) Now we have to grovel and beg to get anything done around here. Our operations staff is made up of mostly part time student employees who know little about what they are doing. (Can anybody say 'giving the car kays to the children?') They control who gets root, how often it is changed, and what the password is. They generally don't pick very creative passwords. (This I know because I usually get the password from them so I don't have to grovel and beg as much... Don't tell their boss, he'd blow his stack.)

We are implementing CA eTrust Access Control and taking back our systems by force. (i.e. No one has root password, and we can limit the access on the machines for the operators so they can do very little damage.) The root password is slowly being changed to a 'random' password. (Random to the operations staff...) We still have a couple months to go...

Go ahead, make fun of us, I can take it. Feel free to deride our current setup all you want. I would not recommend that anyone let their operations staff control the root password, by the way...

John

Spoon!!!!

Vicente Sanchez_3 · ‎01-14-2003

Hi,

Critical machines: root password changed every month.

User's passwords change every 60 days.

Not critical: between 90 and 180 days.

Regards, Vicente.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Root password discipline

Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline

Re: Root password discipline