Security

You should never connect to the internet without a firewall. But which firewall method is appropriate for you?

If you are connected to a standard Small Office/Home Office (SOHO) router, such as a Linksys WRT54, we recommend you enable and configure the firewall on that. A border firewall that does Stateful Packet Inspection (SPI) and Network Address Translation (NAT) should provide a satisfactory level of protection from inbound attacks for most people. Please refer to your router's manual for more information on how to configure this.

Alternatively, if you require a higher level of security, have advanced gateway needs, or if you have a number of computers on an internal network to protect, we recommend you investigate the excellent BSD based firewall appliances m0n0wall and pfsense.

If however you have a standalone desktop/laptop that connects directly to the internet, do not despair. DesktopBSD includes the OpenBSD packet filter (PF) by default, and so by nature is ready to be a secure desktop operating system with only a small amount of configuration. We recommend at this stage that you read Dru Lavigne's excellent firewall howto. If you'd prefer to use FreeBSD's IPFW capability, you can also check out QTFW.

While it is true that the majority of viruses are targetted for Windows, that does not mean that a user of any other system, be it Linux, BSD, Mac OSX or otherwise should rest on their laurels. Security Through Obscurity can only go so far.

With this in mind, if you'd like Antivirus capability on your DesktopBSD system, we recommend that you install ClamAV and ClamTK from PORTS using the Package Manager.

You can also browse through PORTS/Security to see if you can find alternative Antivirus tools that you'd prefer to use, such as F-Prot.

Before we discuss secure passwords, let's first discuss one of the core theories of authentication security.

So with a combination of the above three, without any overlap - you wouldn't combine biometrics with more biometrics for example - you can attain a higher level of authentication security. And like a three legged stool - one leg is useless without the rest.

There are a number of different methods to generate secure passwords by yourself. If you simply want some generated for you, you can use an online tool like mytsoftware.com's PassGen, or Passkool.

There are two schools of thought around password requirements and restrictions

1. That there be strict password requirements e.g character limits, non-alpha numeric characters and that the passwords be changed regularly i.e short password lifetimes
2. That the users either generate or are issued one secure password with a long password lifetime that they use until such time as they want or need to change their password

This topic is highly debateable and outside the scope of this handbook, however, the UNIX password mentality tends away from short password lifetimes, arguing that regular password changes result in degradation of password security e.g Users will tend to iterate: password1, password2, password3

Instead UNIX tends towards setting one good solid password once with a long password lifetime. But the decision is up to you, if you want to use one method or the other, that's your choice! On any UNIX or UNIX-like system though, you should exercise extreme care with the password on your root account.

Some facts though:

• A password selected by a user is typically a dictionary word with a number e.g Password1 and as such will only have on average 18-20bits of entropy
• A randomly generated password of the same length will have on average around 53bits of entropy
• Entropy increases with the use of non-alphanumeric characters and mixing upper and lower case, as well as with the password length

One of the easiest ways to generate a password is to think of a phrase and use that to generate a password. As the phrase itself is easily remembered, you'll be able to easily input a secure password.

• Example Input: The Rain In Spain Falls Mainly On The Plain
• Example Acronym Output: TRISFMOTP
• Example Acronym Output w/ standard entropy: Tr15fM0tP

By applying two simple rules: Case switching and swapping vowels and consonants for numerical characters, we've created a relatively secure password. To take it one step further, simply add a non alphanumeric character or two.

• Example Acronym Output w/ non-alpha entropy: _Tr15fM0tP!

You should only turn a phrase into an acronym when using a phrase of eight or more words - eight words with entropy plus a couple of non-alphanumeric characters will yield a generally secure 10-character password. If you are using a smaller phrase, simply truncate the string of words and then apply entropy e.g Felix The Cat = _F3l1xTh3c4t! In fact, it's better this way as you get longer passwords, which increases the entropy level.

• Example Full Output: TheRainInSpainFallsMainlyOnThePlain
• Example Full Output w/ non-alpha entropy: Th3R4inIn$p41nF4llSM41nly0nTh3Pl41n+
  • The entropy gain of this password is under 20bits, but you should still mix up your characters to get any entropy gain you can, as well as protection from 'over the shoulder' and 'Post-It note' attacks. _TheRainInSpainFallsMainlyOnThePlain% is technically as strong, if not stronger, for example.

All you have to remember is your phrase, in this example “The Rain In Spain Falls Mainly On The Plain,” and the password itself will just fall into place at your fingertips. Try it!

Another method that is similar to passphrases is the Mixed Words method. Simply take two words and mash them together, swapping in the letters like a zipper.

• Example Input: This Word
• Example Output: TWhoirsd
• Example Output w/ standard entropy: TwH01rSd
• Example Output w/ non-alpha entropy: !TwH01r$d_

This example password attains mixed results in password strength tests, but that's because it's quite short. Mix together two long words however and you'll increase the security.

• Example Input: Marilyn Munroe
• Example Output: MMaurnirloyen
• Example Output w/ non-alpha entropy: $MM4uRn1rl0y3n%

When you first create or receive a secure password, it might be initially quite difficult to remember. Conventional wisdom holds that you should never, ever, write down a password, especially not on a Post-It Note. However, if you take into account the above three-tier security methodology, it's not hard to secure a password that you've written down. Here's how:

1. Take your secure password, we'll use _Tr15fM0tP! in this example
2. Select a method of obfuscation and mix the two together. As an example, we'll mix in a sequential series of numbers
   • _Tr15fM0tP! + 1234567890 becomes _1T2r31455f6M708t9P0!
3. Write down the obfuscated password e.g _1T2r31455f6M708t9P0!

That's it! Your password has been obfuscated. Anyone passing by your desk will find the password as useless as the used Post-It note it's written on. As they have neither your username or your obfuscation algorithm/method, they lack the Something You Are and Something You Know. Basically, you're adding a layer of Something You Know to Something You Should Know

For even more obfuscation security - put the Post-It note in your wallet or purse. This action turns the Post-It note into both Something You Know and Something You Have. When you get to your workstation, try to input your password, and if you fail simply look into your wallet/purse, decipher the obfuscation and input your password. It will typically take a couple of days for you to memorise your secure password, and then you can choose to either keep the Post-It note or throw it away.

Once you've got a secure password, you might be tempted to use it elsewhere e.g when you sign up for an online service, webmail etc. You should try to avoid this behaviour and instead try creating 3-4 secure passwords, obfuscating them and using the wallet/purse trick (try the back of a business card as a place to write them), and then grouping scenarios per password. As an example

• One secure password of a longer length (15+ characters) with a high entropy rate for use on your most important encrypted data and your root account
• One secure password of a secure length (10-20 or more characters) with a good entropy rate for normal desktop use - you can use this at home and work
• One secure password as above for online services where important personal information is stored e.g online shopping services
• One secure password of standard length (8 characters) with a reasonable entropy rate for use for any other services where you can afford to be lax with password security

A number of tools exist online that will measure the security of your passwords against a predefined set of requirements and algorithms. You can use these to test your password strength, but remember that they all test differently and will reflect different results somewhere around the line of reality.

• Microsoft's Password Checker rated _Tr15fM0tP! as Strong
• SecurityStat's Password Checker rated _Tr15fM0tP! as just right
• Rumkin.com's Password Checker rated _Tr15fM0tP! as reasonable
  • This checker also rates the obfuscated password _1T2r31455f6M708t9P0! as Strong, with 67.4bits of entropy
  • This checker rated the full Rain In Spain example Th3R4inIn$p41nF4llSM41nly0nTh3Pl41n+ as Very Strong with 129.9 bits of entropy