NCCS Password Policies

Contents

• Password Expiration and Other Password Policies
• How to Check When Your Password Will Expire
• Using the passwd Command to Change Your Password
• Choosing Effective Passwords
• Other Common Precautions to Protect your Passwords

Passwords on NCCS systems are set to expire every 90 days. This means you will be required to change your password at least once every 90 days (the period starts each time you change your password). This age limit is enforced across all NCCS systems.

New passwords must differ from old passwords by at least three characters, be 8 characters in length, and must contain at least one number or special character. See Choosing Effective Passwords below for more information.

Userids are monitored for easily guessed passwords. A userid may be disabled 24 hours after notification of a problem of this nature if the password is not changed.

There is a minimum age limit of 21 days on passwords (except for initial temporary passwords, which must be changed as soon as possible after receipt). This is to prevent the practice of changing a password and then changing it back again to the original password.

The NCCS provides password locking services and requests that users inform the NCCS User Services Group by telephone at 301-286-9120 of extended absences when they will not be using their userids. This precaution will help ensure that break-ins do not go undetected during periods of extended user absence.

Any userid that has been inactive for more than 30 days is disabled. New userids that remain unused after 30 days are also disabled. If you enter the wrong password three times in a row when trying to log in, your userid will be disabled. If your userid has been disabled, please contact the NCCS User Services Group at 301-286-9120 to have it re-enabled.

You can check when your password is going to expire on the SV1s, T3e and mintz by typing:

chkpw -w 90

You will automatically be warned by the system within 14 days of your password expiring. Currently there is no way of knowing if your password has expired on the Sun/dirac.

On the SV1s, T3E and mintz, as with most Unix systems, use the passwd command to change your password. You will be asked for your old password and prompted for your new password twice. Your password will be updated when the command completes. Changing your password on charney will simultaneously change your password on the batch only system suomi.

When you change your password on charney your new password will automatically be run through a password 'cracker.' If the 'cracker' determines that your password is not acceptable, then you will have to find an appropriate password. This 'cracker' is the same type of 'cracker' that hackers are using. It has access to a very large dictionary that includes foreign languages as well as abbreviations, technical terms, common keyboard patterns, and commonly used passwords. Though the dictionary is rather large, it is quite small compared to the dictionaries that hackers are using today. The 'cracker' will reject your password if it can apply any of the cracking rules and come up with a word or abbreviation in its dictionary. See Choosing Effective Passwords below for further guidelines.

You can change your UniTree password by logging onto dirac. As there are no more interactive logins to dirac, you can log on to dirac only to change your password on UniTree. When you log in you will be ported automatically to the passwd command. When you log on to dirac this is what you will see on your screen:

login: userid
Password: old_password
No directory! Logging in with home=/
-passwd:  Changing password for userid
Enter login password: old_password
New password: new_password
Re-enter new password: new_password

Where userid is your NCCS userid, old_password is your old password on dirac and new_password is your new password on dirac.

Once you have re-entered your new password the window will close automatically. Remember that the re-entered new password is also your new UniTree password. When you need to access UniTree you can ftp to UniTree using the ftp dirac 1021 command.

Due to the presence of resourceful hackers, you must be careful in choosing your passwords. The following are recommendations that should make it much more difficult for someone to successfully break in to your NCCS userid.

• Choose a password 8 characters in length. Most operating systems set a maximum of 8 characters for the length of the password. Longer passwords are much harder to crack than shorter ones. Any passwords less than 8 characters long will be rejected. Passwords longer than 8 characters are acceptable by the SV1's, T3E, dirac (UniTree) and mintz, but the systems "see" only the first 8.
• Choose a password that is not a word or abbreviation in any dictionary, including foreign language dictionaries.
• Use one or more special (i.e. non-alphabetic, non-numeric) characters in your passwords. If the password has only one non-alphabetic character, that character must not be the first or the last character in the password string.
• Use one or more numeric characters.
• Use a mixture of upper and lowercase characters.
• Avoid names, especially names of family members, pets or fictional characters from movies, books or plays.
• Avoid passwords that are common to your work such as star identifiers, computer names and the like.
• Avoid simple strategies such as prepending or appending a digit to a word or name. These are some of the easiest passwords to crack.
• Don't use your Social Security Number, license plate id, telephone number or other personal information which may be easy to locate.
• Avoid obvious keyboard patterns (e.g. qwerty) or numbering schemes (e.g. 123).
• Do choose a password that you can easily remember. The use of a pass-phrase may be helpful. (Selecting a phrase known only by you and using the first or last letter of each word in the phrase as your password.) N.B. Some pass-phrases may generate a sequence of characters that will match a word or abbreviation in the dictionary. You may have to try different phrases to find one that the cracker will accept.

• Use different passwords on each computer system and workstation to which you have access.
• Never give your password to a friend or co-worker. This is a breach of NASA and NCCS security policy; is considered a violation of Section 799, Title 18, of the U.S. Code; constitutes theft; and is punishable by law.
• Do not write your passwords on paper.
• Guard against password exposure. Some code or other procedures may contain passwords. Be careful that this code is itself protected against being read.
• Avoid exposing your password!