<HTML ><HEAD ><TITLE >Use good passwords</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK REL="HOME" TITLE="Remote Serial Console HOWTO" HREF="index.html"><LINK REL="UP" TITLE="Security" HREF="security.html"><LINK REL="PREVIOUS" TITLE="Security" HREF="security.html"><LINK REL="NEXT" TITLE="Obey Data Terminal Ready and Data Carrier Detect" HREF="security-dtr.html"></HEAD ><BODY CLASS="SECTION" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Remote Serial Console HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="security.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" >Chapter 9. Security</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="security-dtr.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECTION" ><H1 CLASS="SECTION" ><A NAME="SECURITY-PASSWORD" ></A >9.1. Use good passwords</H1 ><P >Anyone that can guess the <SPAN CLASS="ACRONYM" >BIOS</SPAN > password, the boot loader password, or the <SPAN CLASS="SYSTEMITEM" >root</SPAN > password can get full control of the machine. These should be different, unrelated, excellent passwords. Random text and digits are by far the best choice. You should never use a password that you think would return a hit from a search engine.<A NAME="AEN2188" HREF="#FTN.AEN2188" ><SPAN CLASS="footnote" >[1]</SPAN ></A ></P ><P >Guessing a user's password is only slightly less severe, as a hacker can obtain <SPAN CLASS="SYSTEMITEM" >root</SPAN > access simply by waiting. The hacker waits for a <SPAN CLASS="QUOTE" >"local exploit"</SPAN > for a flaw in the operating system to appear and uses that exploit before the machine is patched.</P ><P >Severely limit the number of users on the machine. Ensure that only good passwords are chosen by using a fascist password checker such as a <A HREF="http://www.users.dircon.co.uk/~crypto/" TARGET="_top" ><SPAN CLASS="APPLICATION" >cracklib</SPAN ></A >-based <A HREF="http://www.kernel.org/pub/linux/libs/Linux-PAM-html/pam.html" TARGET="_top" ><SPAN CLASS="APPLICATION" >PAM</SPAN ></A > module.</P ><P >You should write down the <SPAN CLASS="ACRONYM" >BIOS</SPAN > password, the boot loader password and the <SPAN CLASS="SYSTEMITEM" >root</SPAN > password. Now you don't need to remember them, so there is no reason for them not to be totally random, unrelated, excellent passwords. Fold the page, put it in an envelope and seal it.</P ><P >Now we have turned a computer security problem into a physical security problem. We know how to solve those problems: locks, keys, alarms, safes, guards, regular inspections. If your site has staffed security then a good option is to leave the envelope in the care of the guard post with instructions to treat the envelope with the same procedures used for the site's master keys. Smaller sites can use a safe, a cash box or a locked drawer. A thief forcing a locked drawer still leaves shows more apparent signs of entry and more clues to their identity than is left by a hacker behind a modem.</P ><P >These three passwords are an important corporate asset. If the machine is secure then forgetting the major passwords for the machine should result in a machine whose configuration cannot be altered by actions short of disassembly. You should have written procedures controlling the generation, storage, lifetime and use of major passwords.</P ></DIV ><H3 CLASS="FOOTNOTES" >Notes</H3 ><TABLE BORDER="0" CLASS="FOOTNOTES" WIDTH="100%" ><TR ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="5%" ><A NAME="FTN.AEN2188" HREF="security-password.html#AEN2188" ><SPAN CLASS="footnote" >[1]</SPAN ></A ></TD ><TD ALIGN="LEFT" VALIGN="TOP" WIDTH="95%" ><P >But don't submit your proposed password to a search engine! Sending passwords in plain text across the Internet isn't good, nor the possibility of having them appear in the logs of a search engine.</P ></TD ></TR ></TABLE ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="security.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="security-dtr.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Security</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="security.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Obey Data Terminal Ready and Data Carrier Detect</TD ></TR ></TABLE ></DIV ></BODY ></HTML >