************************************************************************** Security Bulletin 9308 DISA Defense Communications System March 26, 1993 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9308). ************************************************************************** PASSWORD MANAGEMENT REFERENCES: o DCA Circular 310 P115-1, DDN Security Management Procedures for Host Administrators (Volume 1), dated May 1991. o CSC-STD-002-85, Department of Defense Password Management Guideline, dated 12 April 1985. The Defense Information Systems Agency continually strives to improve its' resources for providing a reasonable level of security for the Defense Data Network. This bulletin is meant to reinforce emphasis on password management. Individual accountability is the key to securing and controlling any system that processes information on behalf of individuals or groups of individuals. A number of requirements must be met in order to satisfy this objective. The first requirement is for individual user identification. Second, there is a need for authentication. Without authentication, user identification has no credibility. The security provided by a PASSWORD system depends on the passwords being kept secret at all times. Host Administrators must assure that passwords are kept secret by their users. Host Administrators must also assure that passwords are robust enough to thwart exhaustive attack by password cracking mechanisms, changed periodically and that password files are adequately protected. Passwords should be changed at least annually. Encryption of stored passwords should be used whenever the access control mechanisms provided by the ADP system are not adequate to prevent exposure of the stored passwords and even when other access controls are considered adequate, as this helps protect against possible exposure when normal access controls are bypassed (e.g., System Dumps). Encryption of the password should be done immediately upon entry, the memory containing the plain text password should be erased immediately upon encryption and only the encrypted password should be used for comparison. It is recommended that the password typed in by the user is not echoed, when the system cannot prevent the password from being echoed, it is recommended that a random overprint mask be displayed before of after the password is entered, as appropriate, to conceal the typed password. The length of the password should be, at a minimum, six (6) alphanumeric characters. It is also recommended that users memorize their passwords and not write them on any medium. If passwords must be written, they should be protected in a manner that is consistent with the damage that could be caused by their compromise. IT IS CONSIDERED A SECURITY VIOLATION TO MAKE KNOWN, SHARE, OR EXPOSE ALL OPERATIONAL PASSWORDS AND ACCESS CODES. It is recommended that each accumulation of five (5) consecutive unsuccessful login attempts from a single access port or against a single user ID results in the immediate notification of the event to the ADP system operator or the System Security Officer. Formal investigations of unauthorized or illegal activities occurring on the Defense Data Network (DDN) must be coordinated with the DDN Network Security Officer (DDNNSO). Individuals suspected of unauthorized access to or use of host computers over the DDN will be subject to prosecution under title 18 of the federal criminal code. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************