Guessed Account Password

Impact

An attacker who is able to guess the password to a user account could gain shell access to the system with the privileges of the user. From there it is often trivial to gain complete control of the system.

The Problem

Administrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system.

Resolution

Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. Enforce this policy using a utility such as npasswd in place of the default UNIX passwd program. Check the strength of all account passwords periodically using a password cracking utility such as Crack.

Where can I read more about this?

Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.