A.5 Chapter 4: Users, Passwords, and Authentication

  • Be sure that every person who uses your computer has his or her own account.

  • Be sure that every user's account has a password.

  • Pick strong, nonobvious passwords.

  • Consider automatic generation or screening of passwords.

  • Pick passwords that are not so difficult to remember that you have to write them down.

  • After you change your password, don't forget it!

  • After you change your password, test it with the su command by trying to log in on another terminal or by using the telnet localhost command.

  • If you must write down your password, don't make it obvious that what you have written is, in fact, a password. Do not write your account name or the name of the computer on the same piece of paper. Do not attach your password to your terminal, keyboard, or any part of your computer.

  • Never record passwords online or send them to another user via electronic mail.

  • Don't use your password as the password to another application such as a Multiuser Dungeon (MUD) game.

  • Don't use your password on other computer systems under different administrative control.

  • Consider using one-time passwords, tokens, or smart cards.

  • Ensure that all users know about good password management practices.

    Part VI: Appendixes