System Administration Guide
Chapter 5, Maintaining system security

Stolen passwords

Stolen passwords

Each time a user logs in, the system displays the time and date of the last login. The most obvious evidence of a stolen password is when this last login is different from what the user remembers; secondary evidence is that a user's files have been altered. Warn users to note their last login and report any discrepancies immediately, including any instances where their files have been disturbed. Make certain that users follow the guidelines discussed in ``Login security'' and ``Password security'' in the Operating System User's Guide. These guidelines ensure that other users cannot guess passwords or otherwise obtain them.

The administrator should carefully consider which restrictions to place on passwords. One popular (and dangerous) practice is to have accounts without passwords. Although this feature is available, accounts without passwords are strongly discouraged. It is difficult to prevent damage or further penetration of the system once someone has logged on to an account. The identification and authentication procedure is the first line of defense against tampering.

Another weapon against stolen passwords is the interval between login attempts and the limits on unsuccessful login attempts for accounts and terminals. Although this can be annoying when a user makes a mistake in entering a password, it hinders an unauthorized user making repeated attempts to guess a password.

Other than reports from the users themselves, the principal method for detecting stolen passwords is to generate terminal and login reports -- see ``Creating account and login activity reports''. Look for:

If any of these occur, you should suspect that someone is trying to gain access to your system. You should ensure that passwords are both changed regularly and made difficult to guess; this is the best assurance of password security.