Encrypted Passwords, how could I tell?

wardialer · 10-01-2004, 03:47 AM

I am using MDK 9.1 and I would like to know how could I tell if my login and my root passwords are encrypted or not? Where could I go and see and how could I tell?

And also, how could I use cryptography like in OpenBSD?

320mb · 10-01-2004, 05:43 AM

Quote:

Originally posted by wardialer
I am using MDK 9.1 and I would like to know how could I tell if my login and my root passwords are encrypted or not? Where could I go and see and how could I tell?

look to see if you have /etc/shadow file??

or from command line :

Code:

pwconv

does this command give any errors???

wardialer · 10-01-2004, 09:58 AM

I went to KONSOLE or terminal and typed in 'pwconv' and no errors were given.

And yes, I do have the /etc/shadow.

chort · 10-01-2004, 11:24 AM

Look at the format of /etc/passwd

Code:

unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

See the * (asterisk) in the second column? That means the hashed password is in shadow.

Passwords really aren't encrypted, they're hashed. This means (roughly) that a pattern of the password is generated, but that there's no possible way to convert that pattern back to the original password; however, if you later run the same pattern algorithm on a password that the user types in, you can compare that pattern to the password pattern and see if they match.

None of that covers whether your password is protected when you're trying to authenticate, though. Depending on how you're logging in (Telnet, SSH, to get e-mail with POP3, etc) your password may or may not be protected. In that case it doesn't matter at all if your password on the disk is hashed and placed in /etc/shadow, if you use an insecure login protocol, then your password is exposed.

And as a small note, most Linux distributions use MD5 hashing for the password. Some security researchers have recently found flaws in MD5 that allows for some collisions to be generated. While this does not mean that you could use a hash to generate the correct password, there are now quicker ways to match the password by brute-force.

On the other hand, most of the BSD family use Blowfish to hash their passwords and there haven't been any weaknesses yet found with Blowfish.

wardialer · 10-02-2004, 10:06 AM

Here is the /etc/passwd/ file:

Most of them are like this including the root and username, look below:

Code:

:X:0:0  or  :X: 501:501

What could I do to make this Passwd more secure if its not already secure?

chort · 10-02-2004, 02:42 PM

Really the only thing to make it more secure is to use passwords at least 8 characters long. With methods other than Crypt() (DES) passwords longer than 8 characters actually get stronger (DES only hashed up to 8 characters, so anything beyond that was pointless). You could also switch from MD5 to Blowfish for your password hashing, but that would require resetting the password for everyone since there's no way to convert it.

SciYro · 10-03-2004, 08:12 AM

/me gets scared

how would that switching of the password hashing thing go with most distros?

wardialer · 10-03-2004, 09:09 AM

Quote:

You could also switch from MD5 to Blowfish for your password hashing, but that would require resetting the password for everyone since there's no way to convert it.

How would I do that?

Quote:

"Resetting the password for everyone"

Well, I am the only one who uses the computer. Thats it. And plus its a standalone with no webserver services running either. So how would I convert this passwd file to use Blowfish (BSD-like)??? But the bottom line is, the passwd file that was given above, is that encrypted??
I want to covert this to Blowfish. How?

Please explain the directions please.

chort · 10-03-2004, 04:16 PM

First, passwords are not encrypted, they're hashed. It's different because hashing is not reversable while encryption is (with the key). Second, you don't encrypt the password files, you store hashed passwords in them. Third, you don't want the password hashes in /etc/password because that allows them to be brute-forced off-line! Hashed passwords go in /etc/shadow (or /etc/master.passwd, depending on the OS). Fourth, I'm not aware of any Linux distros that allow you to use Blowfish as the native password hashing scheme, so you would have to find a PAM plug-in for that.

SciYro · 10-03-2004, 04:57 PM

oooowe, so your saying you don't know of a way to get pam to switch to the blowfisyies password hashing thingy?

owell (starts a search on google)

wardialer · 10-04-2004, 01:43 AM

I stumbled onto this online Plain text password to Blowfish encryption conversion. I think I will do that is to convert my existing login password to Blowfish using that online thing.

http://webnet77.com/cgi-bin/helpers/crypthelp.pl

chort · 10-05-2004, 12:08 AM

It doesn't do any good to convert your passwords to Blowfish hashing if your login mechanism doesn't support it (which Linux does not do, native). Also, I would strongly recommend against using someone's on-line tool to hash passwords. Think about it, they could easily keep a log of every plain text password and what IP made the connection to their site. It would be a simple matter to scan each IP for remote login services and try each password that was entered in the conversion site.

Cerbere · 10-05-2004, 06:35 AM

The Openwall project has bcrypt and pam_tcb module packages available to add to other distros. Check out the links below:

http://www.openwall.com/crypt/

http://www.openwall.com/tcb/

Enjoy!
--- Cerbere

guitarman85281 · 10-12-2004, 02:14 PM

Greetings
RH (9 at least) and SuSE 9 and up support Blowfish for encryption. Not by default, but it's still supported. I don't have definitive knowledge on any other distros so I don't want to comment on what I'm not sure of.