Most organizations use passwords to control access to IT resources. But it's increasingly looking like passwords are not ideal security controls. The type of password that would provide reasonable security is usually too complicated for a user to remember, which usually means the user ends up writing down or otherwise recording the password (meaning it can be stolen).
This tendency is further exacerbated when you get into password policies that enforce password length and construction, for example requiring certain types of characters, checking for similarities to previous passwords and disallowing the use of dictionary words. Less secure passwords are easier for the user to remember, but also easier to compromise via brute force or dictionary attacks.
Vendors have implemented a number of alternative controls to get around this problem, with varying levels of acceptance. These efforts include two-factor authentication (using one-time keys), smart cards and biometrics. But although they're more, secure these types of controls can be costly and hard to implement and manage.
Recently, another alternative control has been suggested – a passphrase. A passphrase is a sentence or phrase that can be used instead of a password. The passphrase is often nonsensical, for example:
bob backward danced violet ravine tornado
As an enhancement of the password, rather than an entirely new control, the passphrase is easier to implement
But you'll hear a lot of argument about whether passphrases are really more secure than passwords. The arguments for passphrases suggest that, because passphrases are easier for people to remember, the risk of people writing them down is reduced, and their generally longer length is more secure than a single word.
Some critics fear that a passphrase consisting of a collection of dictionary words may be easy to crack by targeting one word at a time in the same way that current brute force attacks target passwords one character at a time. Including other characteristics such as punctuation, capitalication or numbers may reduce that risk. So our previous example of a passphrase might be enhanced like so:
Bob backward, Danced violet Ravine tornado!
The addition of the capital letters and punctuation should make it harder for a brute force attack to compromise the passphrase.
Not many people are aware that Red Hat allows the use of passphrases with very little change required to your host. All you need to do is ensure that when users change their password or passphrase that it is appropriately checked for compliance to your password/passphrase policy. For standard passwords, this enforcement of password policy is done by the pam_cracklib PAM module. A new PAM module called pam_passwdqc became available in Red Hat Enterprise Linux 3. The pam_passwdqc module allows the enforcement of policy for passphrases.
The pam_passwdqc module is available as an RPM. If it is not already installed, you can install it from the Red Hat installation media or via the up2date command. The pam_passwdqc module is stacked before your usual password-changing module (usually pam_unix) in the PAM configuration. It is specified in place of the pam_cracklib module (you can only use one of these two modules, not both) in the password section of the system-auth file in the /etc/pam.d directory. You can see this section with the pam_passwdqc module enabled below:
password required pam_passwdqc.so password sufficient pam_unix.so nullok try_first_pass use_authtok md5 shadow password required pam_deny.so
Click here to read part two of this tip, which discusses how to configure this functionality in Red Hat.James Turnbull is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.
This was first published in August 2006