Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello everyone, I'm new to the forum, I wanted to know if there was a way to know the complexity of the root password without knowing it exactly.
I do not know if any encrypted record or file is generated that can show any indication of it.
It may seem absurd, but there are cases where we do not know the root password but we have to do a security audit on the server and I don't want to be asking for the password every time I have to check it.
There used to be a website where you could input a password and get a judgement on its complexity. But I can see why you might not want to do that with your root password!
Hashes are oneway, so without knowing the password, you can't tell without lots and lots of work. Furthermore, the password hash in /etc/shadow is salted for you. So you'd have to take the salt into account before you try going to the trouble of making a list of possible matching hashes using John the Ripper.
It'd be more practical just to reset the root password to something known good. You can easily make a good one by hand, but there are various utilities to either make or evaluate passwords. Cracklib is an example of the latter. While pwdgen is one example of many of the former, generating passwords is easy enough that you can make a good one with a few lines of perl, python, ruby, or whatever.
Last edited by Turbocapitalist; 12-19-2021 at 07:33 AM.
There used to be a website where you could input a password and get a judgement on its complexity. But I can see why you might not want to do that with your root password!
You're probably referring to zxcvbn, which is a JavaScript library intended for use on registration pages - there is a demo of it in use which is safe so long as the relevant GitHub repo is not compromised.
The safer option is to download it and use it locally (again, after verifying there is no tampering to add remote requests in the code).
This doesn't solve the not-knowing-the-password problem - but it could be provided to the people that do know it, and asking them to verify the passwords they're responsible for and change any that come below a certain strength rating.
I wanted to know if there was a way to know the complexity of the root password without knowing it exactly.
No, there is no way to know the complexity of any password without knowing that password.
I do not know if any encrypted record or file is generated that can show any indication of it.
Quote:
Originally Posted by androsob
It may seem absurd, but there are cases where we do not know the root password but we have to do a security audit on the server and I don't want to be asking for the password every time I have to check it.
Thank you all for your response. I say this because we recently went through a security audit and the entire process of gathering the requested information was quite tedious.
But the absurd thing is that they ask you for records of everything, but they do not audit something as basic as the complexity of the root password.
So since I'm from security, I wanted to know if there was any way to detect a possible insecure key and recommend to the infrastructure area to correct them.
This will most likely output rows like "root:$6$" - if you get any that contain "$1$" then that user's password is hashed by a now insecure algorithm - you need to check/fix the default, then require that user to change their password.
This will most likely output rows like "root:$6$" - if you get any that contain "$1$" then that user's password is hashed by a now insecure algorithm - you need to check/fix the default, then require that user to change their password.
$1 = MD5 hashing algorithm very insecure
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm
$1 = MD5 hashing algorithm very insecure
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm
"$1$" is not MD5, it's md5crypt. That's not pedantry - there is a difference. (Not enough to stop it being insecure, but still a difference.)
On the same note, the difference between "$6$" (sha512crypt) and SHA-512 is enough to make "$6$"/sha512crypt adequate (for the time being), despite SHA-512 algorithm itself being a bad choice for passwords. (Also important to state that sha512crypt is different to "SSHA-512", which is another poor choice.)
"$2$" and "$2a$" and "$2b$" are different versions of the same algorithm (bcrypt, aka Blowfish-based crypt, which uses the Eksblowfish cipher). There's also unofficial prefixes "$2x$" and "$2y$" from PHP's implementation.
Some other notable ones are "$7$" for scrypt, "$y$" for yescrypt, and Argon2 has four variants "$argon2i$" and "$argon2d$" and "$argon2ds$" and "$argon2id$" which each have benefits against different threat types.
What all the above points out is that there are 2 factors affecting password complexity.
First is the password itself. Is it easy to guess? or will it take a massive brute force attempt to guess it? The attack would need to use the same 'salt' and the same algorithm to hash each attempt then compare the result to the stored encrypted password to verify if the guess succeeded or failed.
The second is the algorithm used by the system to hash/encrypt it and some are better than others.
Because of my position I don't manage root passwords, but when I found out about some I almost ripped my eyes out hahaha
The issue that I do not want to be bothering when asking server by server what the password is, but from my position to audit the possible easy keys and recommend their change.
Because of your position you need not know those passwords at all. So you can [force to] set a mechanism to check passwords automatically (programmatically). You (or the audit) can check if that mechanism exists and sufficient and you can force the responsible admins to change those passwords (see post #6 again and the links).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.