Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it possible that if the password file of the Linux gets copied, cracker can break the system password? In what way I can make the Linux password protection more secure. Does any one have idea about it?
Linux supports a special password protection technique by maintaining a shadow password file. A Shadow password file is a special version of password files that only root can read.
The password information is left out of the password file. You can determine weather the system users shadow password file by checking the password file. Type the following command on the command prompt.
# more /etc/passwd
It will display the content of the password file. Each line in the file represents information about a particular user. A colon ( separates each information in a line. The second field is for password. If the password exists in the file then shadow password technique is not used by the system.
The shadow password technique can be implemented by converting the password file. You can do this by using the pwconv command. Log in as root and enter pwconv command at the prompt. It will not display any message, but when the shell prompt returns, your system will have a /etc/shadow file and /etc/passwd file encrypted password data is replaced with an x. The password data is now moved to /etc/shadow.
Originally posted by ccalvin12 Is it possible that if the password file of the Linux gets copied, cracker can break the system password? In what way I can make the Linux password protection more secure. Does any one have idea about it?
To more directly answer your questions -- Yes. If a person gets the file that contains your crypted passwords (be it passwd or shadow) they can get the passwords out of the file ... eventually. The length of time they'll need is based on a lot of things, but mostly what crypto algorythm your system uses and how well you pick your passwords .
If you're not using shadow passwords, then you should be. RonRice offers good info on that.
Check out John the Ripper: http://www.openwall.com/john/ that'll do it, it can take incredibly long for a good password (Incredibly long = days +, weeks etc...).
Last edited by mikeyt_333; 02-21-2005 at 03:04 PM.
well, it you would use blowfish cracking is posible... but not now. Of course it depends on the implementation, but until now there is no report of breaking blowfish. This may change in the future of course.
no, with dictionary it will take forever. That was tested already. Your passord advice is no better that using your name in terms of brute force breaking passwords (still try blowfish).
If you want real protection then use OTP. There is no way to quess it (unless you give them away )
Originally posted by broch no, with dictionary it will take forever. That was tested already. Your passord advice is no better that using your name in terms of brute force breaking passwords (still try blowfish).
If you want real protection then use OTP. There is no way to quess it (unless you give them away )
Oh really? So you're telling me that it's just as likely that someone will have |[q?AYJ)a. in their dictionary file as it is that they will have John or Mike? I doubt that ...
No argument about OTP, but I think we can all agree that a new user would find it easier to make up an ugly password and change it often than to set up OTP on all the services a box can offer ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.