S 4.14 Mandatory password protection under Unix

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Password protection for each account in a Unix computer ensures that only an authorised user can log in with his log-in name, as, after entry of the log-in name, authentication is effected through entry of the password.

When using passwords for users and groups, the rules described under S 2.11 Provisions governing the use of passwords are to be observed. It must be borne in mind that in some systems only a limited number of characters is covered by password verification. For implementation of these measures, appropriate program versions of passwd (partly public domain) which ensure compliance with these rules or administrative measures, e.g. shell scripts and pertinent cron entries, should be applied.

Passwords should not be stored in the universally readable /etc/passwd file, but in a shadow password file that cannot be read by the users.

The /etc/passwd file must be regularly checked for user IDs without a password. If such an ID is found, the user must be interdicted. If mandatory password use has been agreed for groups, the /etc/group file must be reviewed accordingly. However, it is recommended to not allocate any passwords for groups and to enter as few users as possible for each group. This facilitates changing from one group to another for which a user has been entered, while unauthorised changes by means of appropriate programs are precluded.

Additional controls:

• Are regular controls made of password use?