LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-14-2014, 05:02 AM   #1
prasanta dutta
LQ Newbie
 
Registered: Mar 2014
Location: India,kolkata
Posts: 1

Rep: Reputation: Disabled
Cool how to ensure that my Linux password can't be cracked by any user or even superuser


prasanta7dutta@gmail.comhow to ensure that my Linux password can't be cracked by any user or even superuser
 
Old 03-14-2014, 06:56 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,696

Rep: Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261
Use a good password?

It is relatively difficult to crack any one way hash... especially now with the more advanced hash functions.

dictionary attacks are easy - but useless against good passwords.
 
1 members found this post helpful.
Old 03-14-2014, 06:59 AM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,445

Rep: Reputation: Disabled
Passwords are stored as salted hashes, and as long as the password is strong and the operating system isn't spying on you, the only way to crack the encryption is via brute-force methods. For a reasonably strong password and a modern hash algorithm, this just isn't feasible.

However, the superuser doesn't have to crack your password in order to gain access to your local account.
 
2 members found this post helpful.
Old 03-14-2014, 07:31 AM   #4
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 3,013
Blog Entries: 1

Rep: Reputation: 630Reputation: 630Reputation: 630Reputation: 630Reputation: 630Reputation: 630
You don't need to crack the password. root can reset the password or su to the user without supplying the password. Neither of which tells them what the password is, but functionally it's not needed. They can also clone the system to other hardware and devote all of that machines efforts to brute forcing the password if they wanted to.
 
Old 03-14-2014, 07:34 AM   #5
snowpine
Senior Member
 
Registered: Feb 2009
Posts: 4,192

Rep: Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178Reputation: 1178
Strange that you are concerned about your password, but willing to put your email address on a public forum!
 
2 members found this post helpful.
Old 03-14-2014, 08:23 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,350

Rep: Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750
every password can be cracked. probably it will take time, but it is not impossible. Therefore you need to change your password time by time...
 
Old 03-14-2014, 09:16 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,887

Rep: Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258
Quote:
Originally Posted by prasanta dutta View Post
how to ensure that my Linux password can't be cracked by any user or even superuser
You can't, and the superuser doesn't have to 'crack' your password, since they can just CHANGE IT whenever they'd like. And no one here is going to email you answers...this is a community forum, so unless you participate in the forum, you won't get answers.
 
Old 03-14-2014, 09:49 AM   #8
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,350
Blog Entries: 11

Rep: Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327Reputation: 2327
Quote:
Originally Posted by snowpine View Post
Strange that you are concerned about your password, but willing to put your email address on a public forum!
Maybe that is his password?
 
Old 03-14-2014, 02:18 PM   #9
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,179

Rep: Reputation: 334Reputation: 334Reputation: 334Reputation: 334
Just be sure not to use "password" as your password. Use "password123" instead. That makes it super-secure.

Even if you encrypt your stuff, and want to keep that data out of root's hands, you will fail. root can view raw memory, put keyloggers on you, etc. If root is patient, persistant and knowledgeable enough, you have already lost before you even get started.
 
Old 03-14-2014, 03:47 PM   #10
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
See:
http://www.thegeekstuff.com/2008/06/...ong-passwords/
There's also rule 3, deducibility: Don't use you date of birth or any number or data from your personal information, which is rather easy to come by. And rule 4, change it often in case they are brute-forcing it.

Avoid common passwords, and there are many lists online of the most common passwords.

None of this can guarantee that your password can't be cracked, but it will make it less likely.
 
Old 03-14-2014, 04:19 PM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,445

Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
every password can be cracked. probably it will take time, but it is not impossible. Therefore you need to change your password time by time...
While this may be technically correct, cracking a hash created with an algorithm without known vulnerabilities would literally take ages. Consider this little thought experiment:
  • a user has a complex password of unknown length that's not a common dictionary word
  • the password is hashed with SHA1 using a random salt
Since the password isn't vulnerable to a dictionary attack and may be any length, the attacker would have to resort to brute-force cracking.

A SHA1 hash is 160 binary digits long. That means there are 2^160 possible hashes. If that doesn't sound like a lot, here's the full 49-digit number:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

I don't know how fast one can generate SHA1 hashes, but let's go out on a limb and assume the attacker has full access to all the resources in both the Microsoft Azure and Amazon Elastic Cloud environments. Let's say the combined efforts of these systems can generate a mind-numbing one quintillion hashes (1,000,000,000,000,000,000 hashes) per second (which I'm pretty certain they can't, not by a long shot).

Let's further assume that the attacker only has to search through half the keyspace before a matching hash is found. He'll then have cracked the password after roughly 730,750,818,665,451,459,101,842,416,358 seconds, which is a little over 23 sextillion years. By then, the hacker will have had to deal with some other pressing issues, such as the heat-death of the universe.

TL;DR: Brute-forcing hashes is really hard work, which is why most attacks against encryption algorithms are based on cryptanalysis, exploiting weaknesses in the algorithm itself.

Last edited by Ser Olmy; 03-14-2014 at 04:22 PM.
 
Old 03-14-2014, 04:47 PM   #12
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
There's a lot of assumptions there. First we are assuming that LOGIN_RETRIES is sensible. If your password is '12345' or 'password', then a dictionary attack is viable i.e. you'll guess the password before you run out of tries.

For the hash algorithm used by shadow, you can check '/etc/shadow' to see what hash is used:
http://dietrichschroff.blogspot.com/...passwords.html
I know Slackware uses $5$ which is SHA-256, but outdated distros may use $1$ (MD5), which is rather broken. However, the salt greatly improves the security.
http://ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo
http://en.wikipedia.org/wiki/Cryptog...ash_algorithms
 
Old 03-14-2014, 04:48 PM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,696

Rep: Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261Reputation: 1261
Or the use of rainbow tables...

Generating the hash is slow... but searching a pre-existing list is much faster (I think a radix search is the fastest).

The problem is that storing 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 different hashes is still a bit hard.
 
Old 03-14-2014, 04:53 PM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,445

Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Or the use of rainbow tables...

Generating the hash is slow... but searching a pre-existing list is much faster (I think a radix search is the fastest).

The problem is that storing 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 different hashes is still a bit hard.
Not to mention that someone would still have to generate the rainbow table first.

Rainbow tables are usually created based on (permutations of) dictionary words. Creating a rainbow table for every possible combination of characters would take as long as brute-forcing the hash.
 
Old 03-14-2014, 05:01 PM   #15
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
I thought of rainbow tables, but the salt prevents it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get a superuser password? budster13 Linux - Newbie 3 02-08-2011 11:41 AM
forgotten superuser password reset sourabh.sinha Linux - Newbie 5 03-02-2010 08:12 PM
debian root password cracked ahmed gamal Debian 4 02-02-2008 09:25 AM
I forgot my Superuser password on Suse 9.1 phishbone4 Linux - Security 3 07-24-2006 11:20 AM
Loaded Linux, lost login ID and password for superuser? How can I recover? PaulK Linux - Newbie 3 08-24-2004 10:01 PM


All times are GMT -5. The time now is 10:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration