Unix userid conventions

[brian]

Expires:

Sender:

Followup-To:

Distribution:

Keywords:


Our company does a large amount of consulting & programming on systems from
PC's to IBM main frames, with 90% of the work under Unix, which is divided
up about 70-30 between DoD and Private enterprises.  Every system can be
considered to contain sensitive information to somebody somewhere, whether it
be government or private.  Generally speaking, under Unix using the user's
name is the only good method for userids for the many reasons already
mentioned (i.e.  e-mail), and most large systems do generate their own account
names for their own convenience. However, there are times and systems when a
cryptic password, and/or userid is necessary.

When a name is used for the userid, and the user is allowed to assign their
own password, 90% of the time they will use passwords of some familiarity,
their child's name (alla Wargames), religious affiliation, names of great
ships.  For a great many systems this is no problem.  But in large corporate
structures, the most pervasive security issue facing Administrators today
arises using such a passwording and userid scheme.  This is the Internal
Infiltrator (I.I.).

These security violator, under Unix particularly, usually have no interest
getting to the master account (root).  Rather, the I.I.  is usually interested
in viewing data he has no business looking at.  For example, a manager writes
a confidential memo to another manager that a recently transfered employee was
suspected of using cocaine on the job, and for the new manager to keep an eye
on him.  Later the employee is fired for whatever reason, only to produce a
copy of the memo.  Legally explosive.  Other examples include viewing a
competitor's accounting files.  An unscrupulous colleague damaging your work
for his own gain in the work place.  These have and continue to happen in the
corporate world, and if an I.I.  knows something about you, and your method
for passwording, he's already cut down the number of password bangs from
hundreds of thousands to tens, or maybe even a few thousand.  He probably
doesn't even care about root's password.  The I.I.  is the #1 threat to
security in the corporate Unix world.

For those situations our method of generating a password is to open a
dictionary, point to a word, and take the first letter.  Then close the
dictionary, open again, p-t-a-w, and take the second letter, etc., etc.,
through the maximum allowable characters.  From, there, it is absolutely
forbidden to write down the password, instead a mnemonic is developed (i.e.
qazxsw is quite all zebras x-ray session writing).  This is drilled into the
user.  We now are back to hundreds of thousands of possibilities.

Under Unix, it makes no sense to be cryptic for the userids, for all the I.I.
would have to do is print the passwd file, and then bang on the password to
get in under the account desired.  Using mnemonic userids is the only viable
method to assign these.  However, on non-Unix machines, without these types of
security deficiencies, cryptic userids do become a powerful tool for internal
security.

Lastly, the best security method of all is put the system in a TEMPEST
approved vault, with all the terminals in the vault, and make everybody sign
in and out.  But then again, anybody that really wants in can always pull out
the most trusted tool of any system penetrator.  The time honored practice of
bribery.  A very hard method to defend against.


Brian Douglass
Applied Systems Consultants, Inc. (ASCI)
P.O. Box 13301
Las Vegas NV  89112
(702) 733-6761