im doing a project on password auditing and need to know whether all users can view etc files

Mmmm, I don't quite understand the question.

All users have read permissions on most files under /etc, if that's what you mean. This is necessary, because the programs you use need to read this configuration files, and they have the same permissions of the user they run under.

About passwords, /etc/passwd is readable by all users. It's a need as well. That file holds vital info that needs to be accessible. However, the passwords are not really there, they are safe on /etc/shadow, and that shouldn't be readable by regular users. /etc/passwd only contains the placeholders for these passwords, but the actual passwords are encrypted in the shadow file.

Users can only view what they have permission to view. You can change permissions using chown with root privileges and ls -l should show what files/directories have what permissions. Root can see everything but it is possible for users to get their files encrypted in such a way that it's basically unreadable without knowing what encryption is in place.

I am not going to go to in depth because it's not my job to do other people's projects for them, but I think I have given enough information their to be useful, hmmm?

any ideas as 2 why we convert passwd to uppercase in the md4 algorithm which is used in NTLM encryption

it is always recomeneded that your passwd be greater than 8 letters .why is it so ??

Because smaller passwords are easy to crack using brute force techniques.

The hardiness of a password grows exponentially each time you add a new digit to the password, as you might already know if you are researching on this. It simple maths.

Computationally, cracking passwords that are smaller than 8 characters is usually a breeze, a few hours or days at most on modern hardware.

As you said, he'd know if he researched it, he is just being lazy. This guy needs to do his OWN project. These are things so easy that you can find them quite quickly if you just use a search engine...

why 8 is the magic no. for password length ???

why not 9 or 5 ???

To get the basics you should read some basic cryptography. Learning a few old/weak algorithms doesn't take much time but gives you a good idea about how people have tried to solve the problem of secure messaging during the history. Then when you get the basics, go on to RSA (it's not difficult to understand either, if you play around with small enough numbers) and you'll learn a little more modern methods..

After you have studied the basics of the encryption algorithms/methods that you're interested in, you should know what things affect the "goodness" of the method, for example the length of a password. Eight is not a "magic number"; less or more does as well, but usually the smaller the numbers/lengths used, the easier the algorithm is to "break" (figure out enough of it to decrypt the encrypted content). On the other hand, the bigger the numbers or longer the lengths, the more it takes computing power and time to calculate the algorithm. So it's all about finding a balance between speed and security..at the moment it looks like there is no, nor will probably never be a fully secure way of encrypting data, but the methods used today are difficult enough to make using them sensible (especially if encryption/keys change frequently enough). But people study these things every day, and might well one day find that a method thought to be good contains a weakness that can be used to exploit it; that's why encryption algorithms are developed all the time, old are left out and new ones taken in. Read about SHA1- and MD5-algorithms for example.

If you need to ask why passwords should be N characters long and not M or L (where N, M and L are certain integers), or why they should contain alphanumeric characters instead of just characters, you don't probably understand enough of the basics..so head to a local library and get a book about the history of encryption for a start.

There's no magic behind it.

It's just what fits today's hardware. At one point in the future we will have pc's with 100 cores running at 10 terahertzs, then that number will probably be raised to 14 or 15, since a 8 chars password would be easily crackable in a fair time lapse.

how can i estimate the length of the password stored in the sam file??