{Your Name} – {Your Student Number} – Network Scripting ICA 1

On Enforcing the Use of Long Passwords in Linux Systems

{Your Name}
Teesside University
{Your Email Address}
Abstract This paper is structured as follows. In
Section 2, we discuss related and previous
It is widely accepted that the use of long
work on password strength, focusing on
passwords is a good practice that increases
password length. In Section 3, we list and
the security of password-protected systems.
discuss some password composition policies
Moreover, research suggests that password
that we identified in our literature review. In
policies requiring little more than long
Section 4, we show how to encode some of
passwords are more usable. In this paper, we
these policies in Serenity.
survey research work on the use and security
of long passwords. We also show how we can 2. Related Work
enforce password policies listed in the
Researchers have found that policies
surveyed research by encoding them in
requiring longer passwords with fewer
Serenity, a domain-specific language for
requirements can be more usable and, in some
creating certified password composition
cases, more secure than conventional policies.
policies.
For example, this is supported by [ CITATION
1. Introduction Sha14 \l 1033 ], who conducted an online
experiment with 8,143 participants to
Password length is one of the most used
evaluated eight different policies. Their results
criteria in password composition policies.
confirm that password policies requiring
Indeed, size matters: passwords that are too
length lead to more usability, and in some
short are easy to remember, but normally
cases more security, than those requiring only
considered unsafe; passwords that are too long
a comprehensive mix of character classes and
are normally considered safer, but not so easy
a dictionary check.
to remember. Existing research has established
that password composition policies requiring TODO:
length lead to more usability, and in some
1. Write a summary similar to the
cases security, than those requiring only a
one above for the reference
comprehensive mix of characters [ CITATION
[ CITATION Yan04 \l 1033 ].
Sha14 \l 1033 ].
(10%)
In this short paper, we investigate how 2. Add one new reference and write a
password length affects the strength of summary of it. Use Word’s
passwords by surveying existing research on reference manager! (10%)
the topic. We also show how to encode
3. Password Composition Policies Focused
password composition policies that enforce
on Length
length constraints using Serenity, a domain-
specific language (DSL) for creating certified TODO:
password composition policies that follows
from the work developed by [ CITATION 3. Here, you should describe in more
Fer17 \l 1033 ]. Finally, we discuss a few detail at least two (maximum of
characteristics of Serenity that make it more four) password composition
flexible than the current default password policies that focus on length. As a
composition policy enforcement mechanism starting point, look at the policies
available on most Linux systems. mentioned in [ CITATION
Sha14 \l 1033 ], for example

Page 1 of 3
{Your Name} – {Your Student Number} – Network Scripting ICA 1
comprehensive8, basic12, basic16,
2word12 etc. (20%)
3.1. Enforcing Password Length
Constraints on Linux Systems
In Linux systems, password composition
policies are enforced using PAM modules
[ CITATION Sam96 \l 1033 ] such as
pam_cracklib or pam_pwquality. In the
popular Linux distribution CentOS 7,
password composition policies are enforced by
the module pam_pwquality and can be
configured in the file at /etc/pam.d/system-
auth. An example of a password composition
policy is:
password requisite
pam_pwquality.so minlen=10
This line configures the system so that…
TODO:
4. Finish the above sentence, by
explaining what this line does
(remember to read the man page
of pam_pwquality, as suggested in
Session 5). (5%)
5. Give 2 examples of passwords
accepted by this pam_pwquality
policy and 2 examples of
passwords rejected. (4%)
4. Encoding Password Composition Policies
in Serenity
In the previous section, we identified and
listed a few relevant password composition
policies. In this section, we show how they can
be encoded in Serenity.
TODO:
6. Here, you should show how some
of the policies mentioned in the
previous section can be encoded in
Serenity (at least 2 of them). For
example, a policy such as basic8
would be encoded as:
Definition basic8 :=
(enforce new_pwd (min
length 8) "New password
must be at least 8
characters long!").
You can (and should!) use the
“pwdquality” virtual machine that
we used in Session 5 to test your
Serenity encodings. Edit the file
PasswordPolicy.v and use the
./serenity-activate command.
(20%)
4.1 Comparison with pam_pwquality
TODO: Here, you should:
7. Briefly compare pam_pwquality
and Serenity. You can focus on the
example shown above (where
minlen=10) and use what you
have learnt in Session 5. (5%)
8. Given an example of another
Linux distribution that uses
pam_pwquality (or pam_cracklib)
as the main password composition
policy enforcement mechanism.
You will need to include a short
description of the distribution and
indicate who its target users are.
(5%)
5. Conclusion
TODO:
9. Summarise what you have learned
on password strength and
password length. (5%)
10. Mention other criteria besides
password length that can make
password-protected systems more
secure. (5%)
11. Finish the paper with a list of
professional, ethical, and legal
compliance considerations that
need to be followed when
managing a password-protected
system. (6%)
References
Page 2 of 3
{Your Name} – {Your Student Number} – Network Scripting ICA 1

Ferreira, J., Johnson, S., Mendes, A. & Brooke, P., 2017. Certified password quality—a case study
using Coq and Linux pluggable authentication modules. International Conference on Integrated
Formal Methods, pp. 407-421.
Samar, V., 1996. Unified login with pluggable authentication modules (PAM). Proceedings of the 3rd
ACM conference on Computer and Communications Security, pp. 1-10.
Shay, R. et al., 2014. Can long passwords be secure and usable?. Proceedings of the 32nd annual
ACM conference on Human factors in computing systems, pp. 2927-2936.
Yan, J., Blackwell, A., Anderson, R. & Grant, A., 2004. Password memorability and security:
Empirical results. IEEE Security & privacy, pp. 25-31.

TODO:
12. You should add at least 1 more
reference, but ideally you should
add 2 more. We suggest that you
use Google Scholar, but you can
also use plain old Google.
Remember that, as a Teesside
University student, you are
expected to use Harvard
Referencing. Use the Word
reference manager to make this
easy! (5%)

Page 3 of 3