For many businesses, interactive logins to their Linux servers are authenticated by the use of a password. Here we look at some of the steps you can take to ensure that your passwords are robust, and also explains how you can make your systems secure against someone who is trying to guess their way in.
What makes a good password?
Let’s consider a few examples:
pa55word: The days when this was even remotely secure are the subject of rambling tales told by grandparents about “the good old days”. Don’t do it.
HotelCalifornia: easy to remember, but don’t sing, “On a dark desert highway…” as you type it. It won’t take long for someone who is determined to discover it.
eW3Quah2: better, but (unless this has some secret meaning to you) tricky to remember. Should you write it down?
xe2fee-Rah_d;ohr#e;aCh0Ah: if this has some secret meaning for you, you are blessed with an interesting life. You probably don’t need this page at all.
correcthorsebatterystaple: as made famous by this xkcd cartoon. The point – that stringing together four random words creates a “hard to guess” password – is valid.
If you use services that will send a helpful “password reminder” by email, make sure your email password is secure. After all, that’s the only one an attacker needs to know, isn’t it?.
Keeping your Linux server secure
A few tips:
- don’t permit ‘root’ logins via ssh
- set up fail2ban or something simlar. This scans the log files and identifies remote IP addresses that persistently cause login failures, and blocks access to your system from those addresses. This can be configured for many different applications: mail, FTP, ssh, and WordPress and other websites.
- don’t use support services that ask you for your password. If you really must, then change the password before you hand it over, and again when they’ve finished.
- don’t use services that email your username and password to you in plain text. True, you won’t always know in advance that this will happen, but it’s a sure sign that the organisation concerned doesn’t take security very seriously.
As Randall Munroe, author of xkcd says, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”.
Many online banking sites require you to type in a number from a hardware token as well as supply a password. This is “two factor authentication” (2FA), and is something that you should consider if you want to implement much improved security. Setting up 2FA on a Linux server is beyond the scope of this page, but here at Tiger Computing we use YubiKeys. These look like a small USB drive, but are actually a hardware authentication device that supports public key encryption and authentication as well as other protocols.