LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to look at user password or change them (https://www.linuxquestions.org/questions/linux-security-4/how-to-look-at-user-password-or-change-them-4427/)

soulsinner 07-18-2001 06:52 AM

How to look at user password or change them
 
:newbie:
im using my root access. and i want to take a look at the user password. how i want to do this. im using RH7.1

trickykid 07-18-2001 09:40 AM

I am not sure on how to view passwords... don't think they make that possible, but you can change them with the passwd command.

jharris 07-18-2001 09:41 AM

You can only see the encrypted password by looking at /etc/shadow - the way the password system works is it encrypts the password you give it then compares it to the encrypted version, there is no way to got back to the plain text version.

cheers

Jamie...

raz 07-19-2001 05:57 AM

Just to build on those answers, this is why.

Linux uses the DES encryption algorithm.
This algorithm uses a private key method of encryption.
It's a one way encryption that applies a 56-bit key to each 64-bit block of data, with a 12-bit salt.

Basically the password is stored in it's encrypted form in /etc/shadow, then when you type your password in, the system encrypted the plain password you entered and checks to see if it matches the sorted encrypted string in /etc/shadow, if not your rejected.

So if your serious about matching a password to someone's encrypted string "notice I didn't say decrypt"
Then you need lots of cpu power for brute force password cracking.

DES is "fairly" secure as the strongest password can only be matched after 72,057,594,037,927,936 different combinations.

Just to put this in perspective.
Someone challenged me to get the root password of a 2.5 Solaris Box in my old work.
At my disposable I had 5 Sun Ultra 2's with 2 x 400Mhz Risc processors.
Each system could do about 180,000 different combinations per second x 10 systems all working together through "John the ripper software" = 1.8 million password hits per second.
If the password was strong then It would have taken these systems about 1,269 years to get the password."as in strong I mean "Lower/upper,numbers and crtlchars".
Luckily for me the password was something like "sandra" so I got a match from my first brute force attempt of lowercase alphabetic 6 characters, which only takes about 1.7 minutes to do all of them. :)

Now 3-DES I don't even want to think about.

/Raz


All times are GMT -5. The time now is 03:19 AM.