Is it possible to break the system password?
 

Is it possible that if the password file of the Linux gets copied, cracker can break the system password? In what way I can make the Linux password protection more secure. Does any one have idea about it?

Linux pasword jargon
 

Linux supports a special password protection technique by maintaining a shadow password file. A Shadow password file is a special version of password files that only root can read.
The password information is left out of the password file. You can determine weather the system users shadow password file by checking the password file. Type the following command on the command prompt.

# more /etc/passwd

It will display the content of the password file. Each line in the file represents information about a particular user. A colon (:) separates each information in a line. The second field is for password. If the password exists in the file then shadow password technique is not used by the system.

The shadow password technique can be implemented by converting the password file. You can do this by using the pwconv command. Log in as root and enter pwconv command at the prompt. It will not display any message, but when the shell prompt returns, your system will have a /etc/shadow file and /etc/passwd file encrypted password data is replaced with an x. The password data is now moved to /etc/shadow.

Re: Is it possible to break the system password?
 

To more directly answer your questions -- Yes. If a person gets the file that contains your crypted passwords (be it passwd or shadow) they can get the passwords out of the file ... eventually. The length of time they'll need is based on a lot of things, but mostly what crypto algorythm your system uses and how well you pick your passwords ;).

If you're not using shadow passwords, then you should be. RonRice offers good info on that.

Check out John the Ripper: http://www.openwall.com/john/ that'll do it, it can take incredibly long for a good password (Incredibly long = days +, weeks etc...).

well, it you would use blowfish cracking is posible... but not now. Of course it depends on the implementation, but until now there is no report of breaking blowfish. This may change in the future of course.

You can still dictionary blowfish, it just takes longer. That's why you should use nasty passwords like h&cX_P>.q :)

no, with dictionary it will take forever. That was tested already. Your passord advice is no better that using your name in terms of brute force breaking passwords (still try blowfish).

If you want real protection then use OTP. There is no way to quess it (unless you give them away:D )

Oh really? So you're telling me that it's just as likely that someone will have |[q?AYJ)a. in their dictionary file as it is that they will have John or Mike? I doubt that ...

No argument about OTP, but I think we can all agree that a new user would find it easier to make up an ugly password and change it often than to set up OTP on all the services a box can offer ...