Appendix D. Sources for More Information

To keep your system secure, you should take a two-pronged approach. On the one hand, learn from the mistakes of your predecessors by reading legacy documents. On the other hand, you should constantly keep up-to-date on the latest security issues. The resources in this chapter will help you do both.

Linux Security Patches, Updates, and Advisories

Many Linux flaws and weaknesses are Linux-specific. Hence, you should start with Linux patches, updates, and advisories. See Table D.1 for links to such information.

Table D.1. Linux Security Patches, Updates, and Advisory Resources

DistributionResource, Description, and Location
Caldera OpenLinuxPatches and updates are at ftp://ftp.caldera.com/pub/openlinux/.
 Advisories are at http://www.calderasystems.com/news/security/.
Red Hat LinuxPatches and updates are at ftp://updates.redhat.com/.
SuSEUpdates and patches are at http://www.suse.de/e/patches/index.html.
 Recent security advisories are at http://www.suse.de/security/index.html.
 Mailing listsare at http://www.suse.com/Mailinglists/index.html.
Debian LinuxFor Debian Linux security information, start at http://www.debian.org/security/.
 For the latest advisories, and to join their mailing list, go to http://www.debian.org/MailingLists/subscribe.

Mailing Lists

Table D.2 identifies several security mailing lists. Use them to keep up-to-date on the latest security issues.

Table D.2. Mailing Lists That Report Updates, Vulnerabilities, and Fixes

ListDescription

The Eight Little Green Men Security List. Detailed discussion of security holes, exploits, and fixes. This list focuses primarily on UNIX. Junk mail is not allowed, nor transmitted. To subscribe, send a message that has the command subscribe 8lgm-list in the body.

The Alert List at Internet Security Systems. Alerts, product announcements, and company information from Internet Security Systems. To subscribe to this and other ISS lists, go to http//iss.net/vd/maillist.html#alert.

The BUGTRAQ Mailing List. Members here discuss vulnerabilities in the UNIX operating system. This is one of the very best sources for recent bugs and vulnerabilities. To subscribe, send a message with the command SUBSCRIBE BUGTRAQ in the body.

The Firewall Wizards Mailing List. Maintainedby Marcus Ranum, this list is a moderated forum for advanced firewall administrators. Tosubscribe, go to http://www.nfr.net/forum/firewall-wizards.html.

The Linux Alert List. This list carries announcements and warnings from Linux vendors or developers. To join, send a message with the command subscribe in the subject line.

The Linux Security List. Now maintained by Red Hat, this list focuses on Linux security issues. To subscribe, send a message with the command subscribe in the subject line.

The Information Security Mailing List. Members of this list discuss security in information processing. To subscribe, send a message with the command SUB infsec-l your_email in the body.

The Firewall-1 Security List. This list focuses on issues related to CheckPoint's Firewall-1 product. To subscribe, send a message with the command SUBSCRIBE firewall-1 in the body.

The Firewalls Mailing List. This list focuses on firewall security. (This was previously .) To subscribe, send an email message with the command subscribe firewalls in the body.

>

The Cyberpunks Mailing List. Members discuss issues of personal privacy and cryptography. (If a major cryptographic API is broken, you'll probably hear it here first.) To subscribe, send a message with the command SUBSCRIBE in the body.

The Intrusion Detection Systems List. Members of this list discuss real-time intrusion detection techniques, agents, neural net development, and so forth. To subscribe, send a message with the command subscribe ids in the body.

[email protected]

The NTBUGTRAQ List. Maintained by Russ Cooper, the NTBUGTRAQ list tracks vulnerabilities and other security issues related to Microsoft Windows NT. To subscribe, send a message with the command subscribe ntbugtraq firstname lastname in the body.

The Risks Forum. Members of this list discuss a variety of risks that we are exposed to in an information-based society. Examples include invasion of personal privacy, credit card theft, cracking attacks, and so on. To subscribe, send a message with the command SUBSCRIBE in the body.

The Secure Sockets Layer Mailing Lists. Members of this list discuss developments in SSL and potential security issues. To subscribe, send a message with the command SUBSCRIBE in the body.

Usenet Newsgroups

Usenet groups are also good information sources. Much productive (and admittedly, non- productive) discussion occurs in such groups. Table D.3 lists a few.

Table D.3. Relevant Usenet Newsgroups

NewsgroupTopics Discussed
alt.2600Hacking, cracking, exploits. More noise than signal here, but occasionally some interesting information surfaces.
alt.2600.crackzHacking, cracking. This group focuses mainly on cracks and is a distribution point for cracks and wares.
alt.2600.hackerzHacking, cracking. This group is very similar to alt.2600.
alt.computer.securityGeneral computer security, roughly equivalent to comp.security.misc.
alt.hackers.maliciousDoS, cracking, viruses. These folks focus on causing damage to their targets.
alt.securityVery general security issues. Occasionally, there is some interesting information here. However, this group also carries really general security information, such as alarms, pepper spray, and personal security.
alt.security.espionageForthe truly paranoid.
alt.security.pgpPretty Good Privacy. This group spawns interesting (and occasionally exhaustive) debates on cryptography.
comp.lang.java.securityThe Java programming language. This group has interesting information. Certainly, whenever some major defect is found in Java security, the information will appear here first.
comp.os.linux.advocacyThis is an interesting place to visit, but you probably won't want to live there. In this group, folks talk about how they love Linux, and how other operating systems suck. Still, much valuable information is passed during the rather raucous exchanges (this is an unmoderated group).
comp.os.linux.announceWatch thisgroup for news of impending updates.
comp.os.linux.answersA useful (and moderated) group. Here, Linux developers and document maintainers post new or updated how-to documents. You'll find a lot of valuable stuff here.
comp.os.linux.development.appsAre you writing a Linux application and you need some answers? Check here.
comp.os.linux.hardwareAre you considering installing new hardware or troubleshooting existing hardware? Check this group for advice and possible solutions.
comp.os.linux.networkingIn this group, folks discuss every aspect of networking, ranging from Ethernet and PPP all the way to plain old serial-bound communication.
comp.os.linux.xA good starting point for learning more about peculiar problems with X.
comp.os.linux.setupIn thisgroup, folks discuss installation issues.
comp.securityGeneral security. Roughly equivalent to alt.security, but with slightly more focus on computer security.
comp.security.firewallsThis group is a slightly more risqué environment than the Firewalls list. The discussion here is definitely noteworthy and worthwhile.
comp.security.miscGeneralsecurity.
comp.security.unixUNIX security. This group often has very worthwhile discussions and up-to-date information. Probably the best overall UNIX newsgroup, and quite relevant for Linux users.

Secure Programming

Sooner or later, you'll start developing your own Linux applets, scripts, or applications. The following resources focus on secure programming techniques.

General Web Security

General Security Resources

  • Resource: The Computer Emergency Response Team (CERT)

  • Description: CERT issues security advisories and provides research studies on incident response, survivability, and general network security. Formed in response to the 1988 Internet worm incident, CERT is one of the oldest and most reliable information sources for statistics, vulnerabilities, and trends in security.

  • URL: http://www.cert.org/

  • Resource: Navy Handbook for the Computer Security Certification of Trusted Systems

  • Description: Cradle-to-grave coverage of security plans (right down to penetration testing).

  • URL: http://www.itd.nrl.navy.mil/ITD/5540/publications/handbook/index-txt.html

  • Resource: Phrack magazine

  • Description: Phrack is currently the finest underground network security publication going. Each issue is chockful of exploit code, analysis, and research. Much of the work is Linux-centric, and top-notch at that.

  • URL: http://www.phrack.com

  • Resource: Linux Net News

  • Description: Good general coverage of Linux issues, including security, market share, new applications, and techniques for successfully running a Linux network. Features the Linux Weekly News.

  • URL: http://www.radix.net/~cknudsen/linuxnews/

  • Resource: Packet Storm Security

  • Description: Security news and files (exploits, fixes, etc.) from the folks at Genocide2600.com.

  • URL: http://www.genocide2600.com/~tattooman/main.shtml

  • Resource: The Linux Help section at www.sekurity-net.com

  • Description: Both security-oriented and general help-oriented documents of interest to system administrators. For example, there are documents describing how to implement IP masquerading.

  • URL: http://www.sekurity-net.com/Linuxhelp.html

  • Resource: The alt.2600 Hack Frequently Asked Questions (0.12)

  • Description: This document has long been the starting point for hackers and crackers. It covers cracking passwords, defeating shadowing, attacking voicemail systems, war dialing, and the like.

  • URL: http://www.hack-net.com/texts/2600FAQ.txt

  • Resource: Linux Resources at Active Matrix's Hideaway

  • Description: This page describes Linux and provides links to various distributions and mini-distributions. (The author also devotes ample space to hacking and cracking.)

  • URL: http://www.hideaway.net/linux.html

  • Resource: The BUGTRAQ Archives

  • Description: This is an archive of the popular mailing list BUGTRAQ, one of the most reliable sources for up-to-date reports on newfound vulnerabilities in UNIX (and at times, other operating systems).

  • URL: http://geek-girl.com/bugtraq/

  • Resource: Internet Security Auditing Class Handouts

  • Description: Papers and talks from an April 30, 1996, class on security auditing by Dan Farmer and Wietse Venema. There's some very good stuff here, including a paper in which two system administrators share their experiences using SATAN to assay some 40,000 hosts.

  • URL: http://www.fish.com/security/auditing_course/

  • Resource: Shall We Dust Moscow?

  • Description: This is a fascinating independent security study conducted by Dan Farmer. Farmer scanned approximately 2,200 sites for security vulnerabilities and found saddening results.

  • URL: http://www.fish.com/survey/

  • Resource: U.S. Department of Energy's Computer Incident Advisory Capability (CIAC)

  • Description: CIAC provides computer security services to employees and contractors of the U.S. Department of Energy, but the site is open to the public as well. There are many tools and documents at this location.

  • URL: http://ciac.llnl.gov/

  • Resource: The International Computer Security Association

  • Description: This site contains reports, papers, advisories, and analyses of various computer security products and techniques. Moreover, the ICSA provides security training and certification.

  • URL: http://www.icsa.net/

  • Resource: Linux Today Security News

  • Description: Linux Today Security News lists breaking news on the latest Linux vulnerabilities.

  • URL: http://security.linuxtoday.com/

  • Resource: Securing Red Hat 5.X

  • Description: Kurt Seifried takes you through some important steps for locking down a Red Hat server.

  • URL: http://redhat-security.ens.utulsa.edu/

  • Resource: J. T. Murphy's Linux Security Homepage

  • Description: J. T. Murphy has assembled some nice links to various Linux security resources, including programs to keep your system safe and good, common-sense system administration.

  • URL: http://www.ecst.csuchico.edu/~jtmurphy/text.html

  • Resource: The Linux Security Administrator's Guide

  • Description: Created by Dave Wreski, this document is probably the best freely available Linux document anywhere. It offers start-to-finish coverage of Linux system administration.

  • URL: http://www.nic.com/~dave/SecurityAdminGuide/SecurityAdminGuide.html

  • Resource: Linux Administrators Security Guide

  • Description: Kurt Seifried takes you through many important aspects of Linux system security. (PDF document)

  • URL: https://www.seifried.org/lasg/

  • Resource: The Linux Programmers Guide

  • Description: Sven Goldt, Sven van der Meer, Scott Burkett, and Matt Welsh cover Linux programming in detail.

  • URL: http://rlz.ne.mediaone.net/usr/doc/LDP/lpg/lpg.html

  • Resource: The Linux Journal

  • Description: A great spot for the latest Linux news and some excellent editorial (tutorials, general information, employment, etc.).

  • URL: http://www.ssc.com/linux/

  • Resource: The Linux Documentation Project

  • Description: Essential starting point for Linux documentation.

  • URL: http://metalab.unc.edu/LDP/

  • Resource: Linux Administration Made Easy (LAME)

  • Description: Steve Frampton takes you through essential system administration tasks, with a strong focus on SlackWare.

  • URL: http://qlink.queensu.ca/~3srf/linux-admin/

  • Resource: The Linux Gazette

  • Description: The Linux Gazette routinely features great articles on configuring, securing, and running Linux.

  • URL: http://www.linuxgazette.com/

  • Resource: The Linux IP Masquerade Resource

  • Description: Links to everything you need to know about IP masquerading on Linux.

  • URL: http://members.home.net/ipmasq/

  • Resource: The Hard Disk Drive Database

  • Description: This site is a lifesaver when you're using older disks. It has disk geometry for thousands and thousands of disks. Aren't sure about that old hard drive? Find out here.

  • URL: http://www.pc-disk.de/pcdisk.htm

  • Resource: An Introduction to Computer Security

  • Description: The NIST COMPUSEC introduction, which is now dated but still quite relevant. Available in various formats, including Word, WordPerfect, PostScript, etc.

  • URL: http://csrc.ncsl.nist.gov/nistpubs/800-12/

  • Resource: Michael Sobirey's Intrusion Detection Systems Page

  • Description: Links to discussion on some 78 intrusion detection systems (quite comprehensive).

  • URL: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html#ACME

  • Resource: Intruder Detection Checklist

  • Description: A CERT checklist for establishing whether an intrusion has taken place. Dated but relevant.

  • URL: ftp://info.cert.org/pub/tech_tips/security_info

  • Resource: Live Traffic Analysis of TCP/IP Gateways

  • Description: Phillip A. Porras and Alfonso Valdes from SRI explore statistical and signature-based intrusion-detection analysis techniques to monitor network traffic. Heady stuff, but engrossing.

  • URL: http://www2.csl.sri.com/emerald/live-traffic.html

  • Resource: Network Intrusion Detector Distribution Site

  • Description: NID is a new tool suite from Lawrence Livermore Labs that helps detect, analyze, and gather evidence of intrusive behavior occurring on an Ethernet or Fiber Distributed Data Interface (FDDI) network using the Internet Protocol (IP). Currently available for Red Hat.

  • URL: http://ciac.llnl.gov/cstc/nid/intro.html

  • Resource: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls

  • Description: An excellent primer from NIST's John Wack on firewalls and policy.

  • URL: http://csrc.ncsl.nist.gov/nistpubs/800-10/

  • Resource: Creating a Linux Firewall Using the TIS Toolkit

  • Description: Benjamin Ewy steers you through setting up a Linux firewall with Trusted Information System's Firewall Toolkit.

  • URL: http://www.ssc.com/lj/issue25/1204.html

  • Resource: An Introduction to SOCKS

  • Description: This document describes basic SOCKS concepts and provides links to SOCKS 4 and 5 models.

  • URL: http://www.socks.nec.com/introduction.html

  • Resource: The Anonymous Remailer FAQ

  • Description: This document covers all aspects of anonymous remailing techniques and tools. From André Bacard, author of Computer Privacy Handbook.

  • URL: http://www.well.com/user/abacard/remail.html

  • Resource: The Anonymous Remailer List

  • Description: This is a comprehensive but often-changing list of anonymous remailers.

  • URL: http://www.cs.berkeley.edu/~raph/remailer-list.html

  • Resource: Purdue University COAST Archive

  • Description: This is one of the more comprehensive security sites, containing many tools and documents of deep interest to the security community.

  • URL: http://www.cs.purdue.edu//coast/archive/

  • Resource: The Raptor Systems Security Library

  • Description: An aging but useful security library.

  • URL: http://www.raptor.com/lib/index.html

  • Resource: Forum on Risks to the Public in Computers and Related Systems

  • Description: This is a moderated digest of security and other risks in computing. Use this to tap the better security minds on the Net.

  • URL: http://catless.ncl.ac.uk/Risks

  • Resource: Forum of Incident Response and Security Teams (FIRST)

  • Description: FIRST is a conglomeration of many organizations undertaking security measures on the Net. This powerful organization is a good starting place for sources.

  • URL: http://www.first.org/

  • Resource: The CIAC Virus Database

  • Description: This is the ultimate virus database on the Internet. It's an excellent resource for learning about viruses that can affect your platform.

  • URL: http://ciac.llnl.gov/ciac/CIACVirusDatabase.html

  • Resource: Information Warfare and Information Security on the Web

  • Description: This is a comprehensive list of links and other resources concerning information warfare over the Internet.

  • URL: http://www.fas.org/irp/wwwinfo.html

  • Resource: The Center for Secure Information Systems

  • Description: This site, affiliated with the Center at George Mason University, has some truly incredible papers. There is much cutting-edge research going on here. The following URL sends you directly to the publications page, but you really should explore the entire site.

  • URL: http://www.isse.gmu.edu/~csis/publication.html

  • Resource: The AUSCERT (Australian CERT) UNIX Security Checklist

  • Description: An excellent security checklist.

  • URL: ftp://caliban.physics.utoronto.ca/pub/unix_security_checklist_1.1

  • Resource: Computer Security Policy: Setting the Stage for Success

  • Description: National Institute of Standards and Technology. CSL Bulletin. This document will assist you in setting security policies in your network.

  • URL: http://www.raptor.com/lib/csl94-01.txt

  • Resource: Electronic Resources for Security Related Information

  • Description: This document is dated but will still provide you with a comprehensive list of UNIX-related resources for security.

  • URL: http://ciac.llnl.gov/ciac/documents/CIAC-2307_Electronic_Resources_for_Security_Related_Information.pdf

  • Resource: Securing X Windows

  • Description: Lawrence Livermore National Laboratory Computer Incident Advisory Capability. This document will help you understand the basic weaknesses in X and how to shore up X security on your server.

  • URL: http://ciac.llnl.gov/ciac/documents/CIAC-2316_Securing_X_Windows.pdf

  • Resource: Securing Internet Information Servers

  • Description: This document will take you step-by-step through securing anonymous FTP, Gopher, and WWW services on your UNIX system.

  • URL: http://ciac.llnl.gov/ciac/documents/CIAC-2308_Securing_Internet_Information_Servers.pdf

  • Resource: The UNIX Guru Universe

  • Description: The UGU is an excellent place to start on system administration.

  • URL: http://www.ugu.com/

  • Resource: The UNIX Reference Desk at Geek-Girl

  • Description: Jennifer Myers, AKA Geek Girl, maintains this site, which boasts many good links to UNIX software and documentation.

  • URL: http://www.geek-girl.com/unix.html

  • Resource: The Linux Applications and Utilities Page

  • Description: This site also simplifies finding Linux software because the author has broken Linux applications down into categories.

  • URL: http://www.xnet.com/~blatura/linapps.shtml

  • Resource: The Linux-Security Archive at Sonic.net

  • Description: Searchable Linux security mailing list archive.

  • URL: http://www.sonic.net/hypermail/security/

  • Resource: RootShell

  • Description: Good resource for exploits and test code (for where Linux is the build platform, the target platform, or both).

  • URL: http://www.rootshell.com/

  • Resource: ENskip

  • Description: ENskip is a security module for the TCP/IP stack. It provides encryption and authentication of packets on the IP layer between two or more machines. ENskip is compatible to standard SKIP specifications (those on Solaris).

  • URL: http://www.tik.ee.ethz.ch/~skip/

  • Resource: Linux IPv6 FAQ/HOWTO

  • Description: Eric Osborne explains how to get IPv6 working on Linux.

  • URL: http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/linux-ipv6.faq.html

  • Resource: Linux Firewall Facilities for Kernel-Level Packet Screening

  • Description: Jos Vos and Willy Konijnenberg explain kernel-level IP packet filtering, screening, and ipfwadm.

  • URL: http://simba.xos.nl/linux/ipfwadm/paper/

  • Resource: The UNIX Socket FAQ

  • Description: Go here to learn a bit about sockets.

  • URL: http://kipper.york.ac.uk/~vic/sock-faq/

  • Resource: Linux Filesystem Structure

  • Description: Daniel Quinlan takes you through the hardcore specs of the Linux file system. This is the version 1.2 of the Linux Filesystem Structure (FSSTND).

  • URL: http://www.pathname.com/fhs/1.2/fsstnd-preface.html

  • Resource: LinuxPowered.Com

  • Description: A good resource for general Linux information, and documentation in particular.

  • URL: http://www.linuxpowered.com/

  • Resource: Linux Security 101

  • Description: Graeme Cross takes you through essential Linux security tasks.

  • URL: http://www.luv.asn.au/overheads/security/

  • Resource: The Infilsec Vulnerability Database

  • Description: A good resource for Linux vulnerabilities, as well as other UNIX flavors.

  • URL: http://www.infilsec.com/vulnerabilities/

  • Resource: Slash Dot Org

  • Description: The site that specializes in news for nerds (per their self-description). A great source for general networking and Linux news.

  • URL: http://www.slashdot.org/

  • Resource: A Short History of Cryptography

  • Description: Frederick B. Cohen takes you through a quick history of cryptography.

  • URL: http://www.all.net/books/ip/Chap2-1.html

  • Resource: Federal Information Processing Standards Publication 46-2

  • Description: The government standard document for the Data Encryption Standard.

  • URL: http://www.itl.nist.gov/fipspubs/fip46-2.htm

  • Resource: Terry Ritter's Crypto Glossary

  • Description: A magnificent glossary of cryptographic terms.

  • URL: http://www.io.com/~ritter/GLOSSARY.HTM

  • Resource: Crack: A Sensible Password Checker for UNIX

  • Description: An early paper from Alec Muffet describing the popular password auditing tool Crack.

  • URL: http://alloy.net/writings/funny/crack_readme.txt

  • Resource: Dictionary wordlists from the National Center for Supercomputer Applications

  • Description: Wordlists for password auditing/cracking.

  • URL: http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html

  • Resource: The Wordlist Archive at Coast Purdue

  • Description: Wordlists for password auditing/cracking.

  • URL: ftp://coast.cs.purdue.edu/pub/dict/wordlists/

  • Resource: Self-Study Course in Block Cipher Cryptanalysis

  • Description: Great document from Bruce Schneier on block-cipher cryptanalysis (in PDF or PostScript).

  • URL: http://www.counterpane.com/self-study.html

  • Resource: Cryptographic Design Vulnerabilities

  • Description: Bruce Schneier examines some common vulnerabilities in crypto schemes.

  • URL: http://www.counterpane.com/design-vulnerabilities.pdf

  • Resource: DES Modes of Operation

  • Description: Federal document that offers a very technical treatment of the Data Encryption Standard.

  • URL: http://www.itl.nist.gov/fipspubs/fip81.htm

  • Resource: The Electronic Frontier Foundation DES Challenge News

  • Description: Keep up with the latest efforts to crack DES here.

  • URL: http://www.eff.org/descracker/

  • Resource: distributed.net

  • Description: These folks have cracked various encryption algorithms using thousands of computers over the Internet.

  • URL: http://www.distributed.net/

  • Resource: The Encryption and Security Tutorial

  • Description: Peter Gutmann offers a "Godzilla" tutorial, consisting of 500+ slides and addressing many important encryption issues.

  • URL: http://www.cs.auckland.ac.nz/~pgut001/tutorial/

  • Resource: Security Pitfalls in Cryptography

  • Description: Bruce Schneier addresses some common misconceptions about strong encryption.

  • URL: http://www.counterpane.com/pitfalls.html

  • Resource: 2x Isolated Double-DES: Another Weak Two-Level DES Structure

  • Description: Terry Ritter makes a good argument for replacing DES.

  • URL: http://www.l0pht.com/pub/blackcrwl/encrypt/2XISOLAT.TXT

  • Resource: Security Breaches: Five Recent Incidents at Columbia University

  • Description: Document that describes various security breaches from an administrator's viewpoint.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/general/fuat.ps

  • Resource: Foiling the Cracker: A Survey of, and Improvements to, Password Security

  • Description: Daniel V. Klein discusses practical aspects of password security and how increased processor power and poor password choices can lead to highly effective dictionary attacks.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/klein.ps

  • Resource: UNIX Password Security—Ten Years Later

  • Description: David C. Feldmeier and Philip R. Karn explore dictionary attacks and other methods of using substantial processor power to crack DES.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/pwtenyrs.ps.

  • Resource: A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack

  • Description: Udi Manber discusses the possibility that crackers might generate and distribute a massive list of encrypted passwords.

  • URL: ftp://ftp.cs.arizona.edu/reports/1994/TR94-34.ps

  • Resource: Password Security: A Case History

  • Description: Robert Morris and Ken Thompson explore theoretical and practical means of cracking DES passwords.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/pwstudy.ps

  • Resource: CERN Security Handbook on Passwords

  • Description: CERN authors offer a short primer on choosing strong passwords.

  • URL: http://consult.cern.ch/writeups/security/security_3.html#SEC7

  • Resource: Observing Reusable Password Choices

  • Description: Eugene Spafford discusses the problem of reusable passwords.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/observe.ps

  • Resource: Opus: Preventing Weak Password Choices

  • Description: Eugene Spafford discusses how to avoid weak passwords and proposes a solution.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/opus.ps

  • Resource: Selecting Good Passwords

  • Description: David A. Curry discusses how to avoid weak password choices.

  • URL: http://www.dsm.fordham.edu/password-dos+donts.html

  • Resource: Announcing the Standard for Automated Password Generator

  • Description: A federal document that focuses on tools that can automatically create reasonably strong passwords.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/fips181.txt

  • Resource: Department of Defense Password Management Guideline

  • Description: The feds set forth their view on password security.

  • URL: http://www.alw.nih.gov/Security/FIRST/papers/password/dodpwman.txt

RFCS of Interest

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.179.100