**************************************************************************
Security Bulletin 9308                  DISA Defense Communications System
March 26, 1993              Published by: DDN Security Coordination Center
                                      (SCC@NIC.DDN.MIL)   1-(800) 365-3642

                        DEFENSE  DATA  NETWORK
                          SECURITY  BULLETIN

  The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
  Coordination Center) under DISA contract as a means of communicating
  information on network and host security exposures, fixes, and concerns
  to security and management personnel at DDN facilities.  Back issues may
  be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
  using login="anonymous" and password="guest".  The bulletin pathname is
  scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
  and "nn" is a bulletin number, e.g. scc/ddn-security-9308).
**************************************************************************

                           PASSWORD MANAGEMENT

  REFERENCES:

  o  DCA Circular 310 P115-1, DDN Security Management Procedures
     for Host Administrators (Volume 1), dated May 1991.

  o  CSC-STD-002-85, Department of Defense Password Management
     Guideline, dated 12 April 1985.


  The Defense Information Systems Agency continually strives to improve
  its' resources for providing a reasonable level of security for the
  Defense Data Network.  This bulletin is meant to reinforce emphasis
  on password management.

  Individual accountability is the key to securing and controlling any
  system that processes information on behalf of individuals or groups
  of individuals.  A number of requirements must be met in order to
  satisfy this objective.  The first requirement is for individual user
  identification.  Second, there is a need for authentication.  Without
  authentication, user identification has no credibility.  The security
  provided by a PASSWORD system depends on the passwords being kept secret
  at all times.

  Host Administrators must assure that passwords are kept secret by their
  users.  Host Administrators must also assure that passwords are robust
  enough to thwart exhaustive attack by password cracking mechanisms,
  changed periodically and that password files are adequately protected.

  Passwords should be changed at least annually.  Encryption of stored
  passwords should be used whenever the access control mechanisms provided
  by the ADP system are not adequate to prevent exposure of the stored
  passwords and even when other access controls are considered adequate,
  as this helps protect against possible exposure when normal access
  controls are bypassed (e.g., System Dumps).  Encryption of the password
  should be done immediately upon entry, the memory containing the plain
  text password should be erased immediately upon encryption and only the
  encrypted password should be used for comparison.  It is recommended
  that the password typed in by the user is not echoed, when the system
  cannot prevent the password from being echoed, it is recommended that
  a random overprint mask be displayed before of after the password is
  entered, as appropriate, to conceal the typed password.  The length of
  the password should be, at a minimum, six (6) alphanumeric characters.

  It is also recommended that users memorize their passwords and not write
  them on any medium.  If passwords must be written, they should be
  protected in a manner that is consistent with the damage that could be
  caused by their compromise.

  IT IS CONSIDERED A SECURITY VIOLATION TO MAKE KNOWN, SHARE, OR EXPOSE
  ALL OPERATIONAL PASSWORDS AND ACCESS CODES.

  It is recommended that each accumulation of five (5) consecutive
  unsuccessful login attempts from a single access port or against
  a single user ID results in the immediate notification of the
  event to the ADP system operator or the System Security Officer.

  Formal investigations of unauthorized or illegal activities occurring
  on the Defense Data Network (DDN) must be coordinated with the DDN
  Network Security Officer (DDNNSO).  Individuals suspected of unauthorized
  access to or use of host computers over the DDN will be subject to
  prosecution under title 18 of the federal criminal code.

****************************************************************************
*                                                                          *
*    The point of contact for MILNET security-related incidents is the     *
*    Security Coordination Center (SCC).                                   *
*                                                                          *
*               E-mail address: SCC@NIC.DDN.MIL                            *
*                                                                          *
*               Telephone: 1-(800)-365-3642                                *
*                                                                          *
*    NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST,   *
*    Monday through Friday except on federal holidays.                     *
*                                                                          *
****************************************************************************