... account security advice for people doing system administration.

  • Make sure you use strong passwords; i.e. ones that are not easy to guess.
  • Don't use the same passwords for everything.  In particular, don't use the same password on an important account and some random website.  If you use the same password for multiple accounts and the password leaks, then potentially all of your accounts are vulnerable.
  • Deal with the issue of remembering passwords using a digital key-chain.
  • Don't share account names and passwords with other people.
  • Watch out for shoulder surfers when you enter a password.
  • Beware of the possibility of keystroke loggers when you enter a password on a system whose physical / OS security is suspect; e.g. any system that lives in a public space.
  • For remote access, use SSH key access rather than password access, and disable remote password access whenever possible.
  • Use different SSH key pairs for different services.
  • Always put a pass-phrase on your personal private keys and key-chains.  Use a particularly strong one.
  • Backup your keys and your key-rings.
  • If you use a paper-copy backup, make sure that the paper-copy is properly secured at all times.
Ms Belinda Weaver
Ms Belinda Weaver says:
16 February 2015 01:52 PM
It would be good to have a link to where people can learn how to create SSH keys.
Ms Belinda Weaver
Ms Belinda Weaver says:
16 February 2015 03:04 PM
As we saw, there are a number of steps to follow, and it might be nice to list these and also link to help. It's the sort of thing that is easy to follow but then easy to forget if you don't do it very often.