Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Buy why do you want to know about cracking a password file??
Jamie...
Wow, this thread is basically ancient.
In an open society, in open knowledge and open source, you can and should never ask "WHY do you want to know that?"
Because knowledge is free and open and should be shared.
I wanted to know this because I own a system that I want to be sure that it is secure, now if I can't get the password, then nobody else can. If I can, so will others.
Bang, he gets the password. I tried it out on Windows 7 and yes, this actually works, scary!!!
And then watch how he bypasses UAC security, just by a making rubber ducky push enter. I predicted years ago that UAC could easily be fooled, but people told me "no, that can't be simulated"
and yet it can.
Now on Linux, with a password and not just a dumb click, you can't become root like this.
And I was waiting and knew this day would come, well, it as much earlier of course, I just did not know about it, but wisely, migrated away most of my systems over to Linux.
Convenience and ease of use screws up any security, for sure. ;-)
Wow, this thread is basically ancient.
In an open society, in open knowledge and open source, you can and should never ask "WHY do you want to know that?"
Because knowledge is free and open and should be shared.
Ancient is right! 15 years since last reply... possibly a contender for the necro-posting record.
But since it has been awakened in such a way, "open" is just a marketing term invented to avoid using the ideologically charged terms FREE and FREEDOM.
Knowledge should be FREE, but isn't thanks to the abomination of intellectual property law, which has no relevance to this thread as far as I can tell.
And it is always OK to question someone's motivation for engaging in potentially malicious activity, especially in a FREE society.
Ancient is right! 15 years since last reply... possibly a contender for the necro-posting record.
But since it has been awakened in such a way, "open" is just a marketing term invented to avoid using the ideologically charged terms FREE and FREEDOM.
Knowledge should be FREE, but isn't thanks to the abomination of intellectual property law, which has no relevance to this thread as far as I can tell.
And it is always OK to question someone's motivation for engaging in potentially malicious activity, especially in a FREE society.
You are very right, open is abused left and right by very proprietary and closed interests.
And IP is pretty terrible and with that I don't mean the IP of TCPIP. BUT, we still have Linux and other open source projects and so we DO KNOW freedom and live in it.
And I would say that as long as there is a legal and benign justification for asking a question, a legal and good use of something that would otherwise be considered somebody dangerous: like asking about what you can do with a knife, it is legit.
In the case of passwd, we need to know IF it can be cracked and how. Because we need to know about any horrendous safety flaws.
And also, to know if we can rest assured that nobody can decrypt out password really fast. And so far, I'm content and happy to know that no, it cannot. Brute forcing is not among these choices and does not fit the criteria for fast.
We do believe in security through transparency, not security though obscurity. I need to know if something is insecure, so I can act and prepare accordingly.
And not worry only, that we might tip off the bad guys about a security hole that they can exploit. Living in a society, where knowledge is privileged and secret and only available to a subset of people is not a pleasant idea.
What do I get as a price for grave robbing and resurrecting this (still current) topic?
Last edited by browny_amiga; 03-07-2016 at 10:50 PM.
The actual password file ordinarily contains a salted hash of the correct password. This means that you cannot "decode" it. All that you can do is to determine if the password entered by the user is correct.
+1. True freedom includes responsibility, and freedom without restraint is anarchy.
Thanks. I should clarify that asking questions can also show genuine interest, offering the opportunity to customize ones answer (vs the impersonal LMGTFY-like approach). More generally speaking one sometimes find the question asked may lead to a whole different approach because not everyone can accurately describe what they actually need...
Wrong. You can and may ask for clarification always.
OK, just letting you know, telling somebody Wrong, so openly and directly will cause adversarial behavior in many people. It makes them wrong and you right. Nobody likes to hear that and it makes many people defensive. And that is EVEN if you are really right. Dale Carnegie "How to make friends and influence people" does an eye opener there.
You misunderstood me in this one, and I probably could have written it better:
You of course are entitled to ask WHY, what I meant is that you are not allowed to restrict information, depending on first wanting to know why. Information can be gotten easily everywhere and you just create a little road block that can be easily circumvented by the asker.
So saying that, you won't stop somebody from doing hacking, if they want to and it is not that it is super secret knowledge that can only gained by asking on person that can check the motives first.
A person bent on black hat hacking/cracking will do it anyway, and might even fake their motives, saying that they need it for white hat hacking/cracking.
You of course are entitled to ask WHY, what I meant is that you are not allowed to restrict information, depending on first wanting to know why. Information can be gotten easily everywhere and you just create a little road block that can be easily circumvented by the asker.
What alternate universe did you arrive from?
So, in this scenario, what is your answer...
Code:
OP: How do you crack a password?
YOU: First, why do you want to know?
OP: None of your business really, but I want to crack into someone else's machine and exploit it for
my own purposes.
YOU: Choose one...
(a) Sure, guess it isn't any of my business anyway, here is how I do it in those circumstances...
(b) Well, OK, not telling you how would only create a little road block that you can easily
circumvent anyway, so here is how you do it...
(c) No, I don't think I want to be an accomplice to your crime, please go somewhere else.
In a FREE society you absolutely must have the right to say "NO!", and you must be responsible for your choices in all cases.
You misunderstood me in this one, and I probably could have written it better:
You of course are entitled to ask WHY, what I meant is that you are not allowed to restrict information, depending on first wanting to know why.
First of all, I don't like you telling me I am "not allowed" to behave in a manner that doesn't match you own beliefs.
That it just as offensive (if not more so) as what you just objected to in the same post - being called "wrong".
I will restrict information as I see fit, thank you. I'm a responsible adult who lives in the real world.
Ok guys, I agree with you there, if somebody outs themselves as somebody that is purposefully going to hack a machine and commit a crime, of course I would not give them the information.
What I meant was and here I talk about ME, what I would do. I, of course, am not allowed to tell you what you should or shouldn't do, that is what a free society is too.
So I want to take back my post, I did not intend to restrict anyone from restricting or not restricting any information. And it is offensive, you are right. I did not mean to say that, I wrote it wrong, don't know why it came out like that.
What I meant was that in my view, "I", MYSELF would not make it depending on somebody answering my "why do you want to know?".
If you chose to impose such a condition or qualifiers, you are of course free to do so.
So no, we don't have to have an endless post, I admit the error in my post and appologize.
Let's just be as civil as we know how to be. Someone who asks a question like this could well be wearing a white hat. It's a legitimate question to want to know how a password is securely stored ... in a passwd file or its shadow, or in a database, and so forth. It's also legitimate to want to know more about differences, since there are many ways that passwords ... "authorization and authentication" in general ... might be handled on any given system.
If the password storage system is well designed, then a secret like fc683cd9ed1990ca2ea10b84e5e6fba048c24929 will be impenetrable, unless you know the secret secret, and nothing else will tell you what the secret is unless you know the secret or by chance happen to guess what secret the secret is. And so, it is no secret how the secret has been concealed. "Security through obscurity" is no adequate protection for any secret. (Which makes the secret that I have just concealed, above, so utterly secret that I am sure it would be impossible for anyone to guess.)
Incidentally, this is a fundamental reason why the best authorization/authentication systems do not rely upon passwords or "shared secrets" at all, but instead use cryptographically generated one-of-a-kind digital certificates that might then be enciphered by a password string, and perhaps also be required to be used in conjunction with some "two-factor identification" device like a random-number token or pass-card. The certificate, which is unique, traceable, and individually revokable, is what grants access. The password only makes it harder to use if stolen. And, if it is stolen, it can be rendered utterly useless in seconds. (Similar things can be done with good ol' ssh, although they are much more prone to tampering.)
Last edited by sundialsvcs; 03-11-2016 at 10:33 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.