Guessed Account Password
Impact
An attacker who is able to guess the password to a user account
could gain shell access to the system with the privileges of the user.
From there it is often trivial to gain complete control of the system.
The Problem
Administrators often set up new user accounts with no password or with
a default password which is easy to guess. Additionally, some users may
choose a simple password which is easy to remember. Null passwords and
passwords that are very similar to the login name are an easy way for
attackers to gain access to the system.
Resolution
Protect all accounts with a password that cannot be guessed. Require
users to choose passwords which are eight charactes long, including
numeric and non-alphanumeric characters, and which are not based on
the login name or any other personal information about the user. Enforce
this policy using a utility such as
npasswd
in place of the default UNIX passwd program. Check the
strength of all account passwords periodically using a password
cracking utility such as
Crack.
Where can I read more about this?
Walter Belgers' paper,
UNIX password security, is a good reference on strengthening passwords.