Hello everyone, I'm new to the forum, I wanted to know if there was a way to know the complexity of the root password without knowing it exactly.

I do not know if any encrypted record or file is generated that can show any indication of it.

It may seem absurd, but there are cases where we do not know the root password but we have to do a security audit on the server and I don't want to be asking for the password every time I have to check it.

Thanks, androsob

The only thing stored is the hash in /etc/shadow. From the hash, you cannot tell how long the original password is or what characters it contains.

There used to be a website where you could input a password and get a judgement on its complexity. But I can see why you might not want to do that with your root password!

Welcome.

Hashes are oneway, so without knowing the password, you can't tell without lots and lots of work. Furthermore, the password hash in /etc/shadow is salted for you. So you'd have to take the salt into account before you try going to the trouble of making a list of possible matching hashes using John the Ripper.

It'd be more practical just to reset the root password to something known good. You can easily make a good one by hand, but there are various utilities to either make or evaluate passwords. Cracklib is an example of the latter. While pwdgen is one example of many of the former, generating passwords is easy enough that you can make a good one with a few lines of perl, python, ruby, or whatever.

You're probably referring to zxcvbn, which is a JavaScript library intended for use on registration pages - there is a demo of it in use which is safe so long as the relevant GitHub repo is not compromised.

The safer option is to download it and use it locally (again, after verifying there is no tampering to add remote requests in the code).


This doesn't solve the not-knowing-the-password problem - but it could be provided to the people that do know it, and asking them to verify the passwords they're responsible for and change any that come below a certain strength rating.

No, there is no way to know the complexity of any password without knowing that password.

I do not know if any encrypted record or file is generated that can show any indication of it.
The usual case is to check the complexity when you set it (and does not allow to set simple ones).
You can use this: https://www.cyberciti.biz/security/l...ength-checker/
or probably even better: https://www.networkworld.com/article...-on-linux.html
Actually manually checking those passwords is not really acceptable nowadays. Security audits should not accept it at all.

Thank you all for your response. I say this because we recently went through a security audit and the entire process of gathering the requested information was quite tedious.

But the absurd thing is that they ask you for records of everything, but they do not audit something as basic as the complexity of the root password.

So since I'm from security, I wanted to know if there was any way to detect a possible insecure key and recommend to the infrastructure area to correct them.

One thing you can tell from the hash is the algorithm used.

This will most likely output rows like "root:$6$" - if you get any that contain "$1$" then that user's password is hashed by a now insecure algorithm - you need to check/fix the default, then require that user to change their password.

2 members found this post helpful.

You need to (visually) look at the root password.
If it is fails typical recommendations for a good password, then it is a fail.

In addition, check passwords for any admin users where sudo gives root authority.

$1 = MD5 hashing algorithm very insecure
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm

"$1$" is not MD5, it's md5crypt. That's not pedantry - there is a difference. (Not enough to stop it being insecure, but still a difference.)

On the same note, the difference between "$6$" (sha512crypt) and SHA-512 is enough to make "$6$"/sha512crypt adequate (for the time being), despite SHA-512 algorithm itself being a bad choice for passwords. (Also important to state that sha512crypt is different to "SSHA-512", which is another poor choice.)

"$2$" and "$2a$" and "$2b$" are different versions of the same algorithm (bcrypt, aka Blowfish-based crypt, which uses the Eksblowfish cipher). There's also unofficial prefixes "$2x$" and "$2y$" from PHP's implementation.

Some other notable ones are "$7$" for scrypt, "$y$" for yescrypt, and Argon2 has four variants "$argon2i$" and "$argon2d$" and "$argon2ds$" and "$argon2id$" which each have benefits against different threat types.

1 members found this post helpful.

What all the above points out is that there are 2 factors affecting password complexity.

First is the password itself. Is it easy to guess? or will it take a massive brute force attempt to guess it? The attack would need to use the same 'salt' and the same algorithm to hash each attempt then compare the result to the stored encrypted password to verify if the guess succeeded or failed.

The second is the algorithm used by the system to hash/encrypt it and some are better than others.

Because of my position I don't manage root passwords, but when I found out about some I almost ripped my eyes out hahaha

The issue that I do not want to be bothering when asking server by server what the password is, but from my position to audit the possible easy keys and recommend their change.

Because of your position you need not know those passwords at all. So you can [force to] set a mechanism to check passwords automatically (programmatically). You (or the audit) can check if that mechanism exists and sufficient and you can force the responsible admins to change those passwords (see post #6 again and the links).

If you have root access, you can override any automated password checker.
If you really want to set the root password to 'password', you can.

actually root always has the possibility to "overrule" any solution (or any rule). But that is another story.