Secure Passwords

Hi,

I just read an article on HowtoForge where admins can search for weak passwords on their (non-Virtualmin) systems.

http://www.howtoforge.com/how-to-detect-weak-mail-passwords-on-your-ispc...

Seems like a good idea...I've had the dubious privilege of getting many servers off of blacklists. Not fun...

My experience over the years has definitely led me to believe weak passwords are the biggest security risk to computer security.

So, my question, is there a similar way/method/tool for us to search for weak passwords on our Virtualmin servers?

Do you have any suggestions pertaining to password security?

Thanks again for a great product!

G

Status: 
Active

Comments

Howdy -- tools that work on other Linux systems would also work just fine on a Virtualmin system, since email users are added as normal users to the password file.

While we don't have specific recommendations, all you need is a tool that looks at the passwd/shadow files and checks the passwords for each account.

Also, you can setup password restrictions using Virtualmin to assist in that process.

To do that, go into Webmin -> System -> Users and Groups -> Password Restrictions.

On that screen, you can setup minimal password sizes, you can prevent dictionary words from being used, and a number of other rules.

Hello again,

I have tweaked the settings you suggested (thanks for that) for new user defaults (I assume they will work at this point):

Webmin -> System -> Users and Groups -> Module Config -> Password Restrictions

  • Minimum password length
  • Prevent dictionary word passwords
  • Prevent passwords containing username

and here:

Webmin -> System -> Users and Groups -> Module Config -> New user defaults

  • Default maximum days for new users
  • Default warning days for new users
  • Default inactive days for new users

But I found that since we are using LDAP for authentication, the /etc/passwd file does not store the bits.

In the LDAP database, I see a field "shadowLastChange", but no other obvious password-related attributes.

Do you have any suggestions for me around forcing existing (LDAP) users to change their passwords to to forcibly expire their passwords on a schedule?

Thanks again,

G

Talking to Jamie, it doesn't sound like there's a way to do that in LDAP now.

However, apparently, the password aging doesn't work properly when using the passwd/shadow files either :-)

That's something he's going to look into.

Though it's a bit tricky, as not all services on the system would handle an expired password well. For example, if a user is checking email via IMAP/POP, I'm not sure that there's a simple way for a user to update it, other than logging in via Virtualmin/Usermin to change it.

And that might generate quite a few support calls, as it would likely appear to the user as if their mail client stopped working.

In the next Virtualmin release, those defaults for the min, max and warning days will be applied to new users created in Virtualmin.