|DACS_PASSWD(8)||DACS Web Services and CGI||DACS_PASSWD(8)|
dacs_passwd — manage private DACS passwords
This program is part of the DACS suite.
The dacs_passwd web service is used to manage usernames and passwords recognized by local_passwd_authenticate, a DACS authentication module. This utility serves a similar purpose for local_passwd_authenticate that Apache's htpasswd(1) command does for its mod_authn_file and mod_authn_dbm modules. These accounts and passwords are used only by local_passwd_authenticate and are completely separate from any other accounts and passwords.
Much of the functionality of this program is also available as a DACS utility, dacspasswd(1), which operates on the same password files. Because dacs_admin(8) provides the same functionality and more, dacs_passwd may be removed in a future release.
This web service enforces several requirements over and above
those specified by its access control rule.
USERNAME argument must be syntactically valid
The user must already be authenticated.
To change his password, a (non-admin) user must enter his current password.
The default DACS ACL restricts use of this web service to a DACS administrator and to users who are setting the password for their own DACS account at the receiving jurisdiction. Administrators should ensure that the ACL for dacs_passwd is correct for their environment.
In addition to the standard CGI arguments, dacs_passwd understands the following CGI arguments:
The following operations are supported:
SET but add or replace an entry for
Delete the account for
Disable the account for
Enable the account for
USERNAME, if it exists, otherwise
A disabled account is indicated by a '
(which is not a valid character in a username).
Sets or resets a DACS password for
must also be given and be identical to
Unless the operation is performed by a DACS
administrator (i.e., an
or disabled by the
the current password for
USERNAME must be given as
For users other than a DACS administrator, a password must meet certain requirements on its length and the character set from which it is comprised. Note that these requirements are only significant at the time a password is set or changed; existing passwords are unaffected by changes to the configuration directives. Please refer to the PASSWORD_CONSTRAINTS directive.
Users should be made aware of security issues related to passwords, including better techniques for selecting passwords and keeping them private.
Creating a memorable (non-random) sentence of between 5 and 10 words has also been argued.
While formulating a strong password is important, most people have multiple accounts and each should have a different password. This can be handled by creating passwords using a method similar to the one described in this proposal. Basically, each password is site-specific and formed from three separate components:
a short, random string
that is common to all of the user's passwords,
and unlikely to be in any dictionary;
a string that is derived from a site's name (or domain name) using
some simple and easy-to-remember procedure
(e.g., using an obvious abbreviation or prefix,
or the first four letters or consonants,
perhaps mixing upper and lower case); and
a short, site-specific random string that
is different for each of the user's passwords,
and unlikely to be in any dictionary.
PIN-1 is memorized by the user
and never written down (except, perhaps, if kept in a safety deposit box
or other highly secure location).
The other two components may be written down but must be kept in a
relatively secure location
(such as in the user's wallet or in a locked desk drawer).
The user forms passwords by combining these three components in any order that is easy to remember, like:
Following that ordering,
for the site www.example.net,
a user might select the password "
example" (component 2,
is derived from the site's domain name,
RB8s" is a random string used with this password only
#i8" is the user's secret PIN
Because it is probably difficult to remember,
the user might record "
the same user might select the password "
For the site dacs.dss.ca,
the user might select the password "
Because the characters comprising
must be acceptable to all of the sites where a user has an account,
and some sites accept a rather limited character set for their passwords,
it may be necessary to restrict
to the alphanumeric alphabet.
The other two components can be chosen from whatever password
characters are permitted by the particular site.
As some sites unfortunately allow only relatively short passwords,
it is preferable to shorten
SITE rather than either
of the other two components.
Provided the basic rules are followed, a user can strengthen the method by making minor changes to the typed password as the three components are combined. As a simple example, one or more separating characters, also from a restricted character set so that it will be widely accepted, might be added before and after the middle component:
In this example, a '
Z' is used as a separating character.
This alteration is memorized, not recorded.
More generally, a user might make character substitutions,
insertions, or deletions that are easy to remember and perform mentally
as the three components are combined and typed.
For example, all digits in
PIN-2 might be recorded
with one added to them (modulo ten), or every third written character
might be discarded.
Applying these changes to the recorded components makes them less useful
to anyone else that might read them.
Since most people are not very good at it, the random strings should be chosen using a good-quality random generator, such as the random() function:
% dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')" "y2FJ"
Or, on FreeBSD or macOS:
% jot -r -c 20 33 126 | rs -g 0 4 ib2Y 25$z vI9Z ^KpZ 51b7
The main disadvantage of the method is that if the "little black book" of password components is needed at more than one location it must either be carried or duplicated (with the copies synchronized). In practice, users will remember frequently used passwords and not need to consult the written components. Still, losing the written material could be painful, but passwords can usually be reset and a secondary copy could be kept at a safe, alternate location.
To summarize, these passwords:
PINcomponents longer, chosen from a larger space of characters, or by inserting one or more characters between components, or by performing some simple mental transformations on written components.
Software is available to help evaluate password strength (e.g., How Big is Your Haystack?), but avoid giving out an actual password you intend to use.
PASSWD (the default) or
SIMPLE, case insensitively, to select between
the item types
The requested item type must be configured
The DACS username of interest.
For recommendations on best practices for password selection and password verification, see Section 5 of NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, June 2017, updated to March 2020.
Distributed Systems Software (www.dss.ca)
Copyright © 2003-2020 Distributed Systems Software.
file that accompanies the distribution
for licensing information.
|DACS Version 1.4.44||27-May-2020||DACS_PASSWD(8)|
|Table of Contents||
$Id: dacs_passwd.8.xml 3119 2020-05-21 18:52:43Z brachman $