Information Security Best Practices: 205 Basic Rules

9.3: Account Security

9.3 Account Security

INFOSEC Best Practice #78

Do not disclose a computer's identity until login is completed successfully.

Set up the operating system so that the system login screen does not identify the computer system by name or function until after login is complete. Unauthorized personnel do not need to know the identity of machines unless they need to use them. Hackers find this type of information valuable since it may identify valuable targets to break into.

INFOSEC Best Practice #79

Use an automatic password generator to help the user with password creation.

The more constraints your security policy puts on creating an adequate password, the more trouble users will have in creating passwords. This may lead to frustration and complaints. To help the user in choosing a password, some account management programs have an automatic password generator that will produce a password according to your security policy criteria. The drawback to using a password generator is that it can create cryptic passwords that may be difficult to remember. Enabling this option, however, will at least provide some help to frustrated users. Emphasis should be put on choosing your own creative passwords that you can more readily remember.

INFOSEC Best Practice #80

The password file must be encrypted by the operating system.

Passwords are encrypted by most operating systems. If you are using an old version of an operating system that does not encrypt passwords, upgrade to a newer version of the operating system or modify the login procedure to...