Each time a user logs in, the system displays the time and date of the last login. The most obvious evidence of a stolen password is when this last login is different from what the user remembers; secondary evidence is that a user's files have been altered. Warn users to note their last login and report any discrepancies immediately, including any instances where their files have been disturbed. Make certain that users follow the guidelines discussed in ``Login security'' and ``Password security''. These guidelines ensure that other users cannot guess passwords or otherwise obtain them.
The administrator should carefully consider which restrictions to place on passwords. One popular (and dangerous) practice is to have accounts without passwords. Although this feature is available, accounts without passwords are strongly discouraged. It is difficult to prevent damage or further penetration of the system once someone has logged on to an account. The identification and authentication procedure is the first line of defense against tampering.
Another weapon against stolen passwords is the interval between login attempts and the limits on unsuccessful login attempts for accounts and terminals. Although this can be annoying when a user makes a mistake in entering a password, it hinders an unauthorized user making repeated attempts to guess a password.
Other than reports from the users themselves, the principal method for detecting stolen passwords is to generate terminal and login reports -- see ``Creating account and login activity reports''. Look for: