LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-19-2005, 03:32 AM   #1
ccalvin12
LQ Newbie
 
Registered: Feb 2005
Posts: 14

Rep: Reputation: 0
Is it possible to break the system password?


Is it possible that if the password file of the Linux gets copied, cracker can break the system password? In what way I can make the Linux password protection more secure. Does any one have idea about it?
 
Old 02-19-2005, 03:36 AM   #2
RonRice
LQ Newbie
 
Registered: Feb 2005
Posts: 14

Rep: Reputation: 0
Linux pasword jargon

Linux supports a special password protection technique by maintaining a shadow password file. A Shadow password file is a special version of password files that only root can read.
The password information is left out of the password file. You can determine weather the system users shadow password file by checking the password file. Type the following command on the command prompt.

# more /etc/passwd

It will display the content of the password file. Each line in the file represents information about a particular user. A colon ( separates each information in a line. The second field is for password. If the password exists in the file then shadow password technique is not used by the system.

The shadow password technique can be implemented by converting the password file. You can do this by using the pwconv command. Log in as root and enter pwconv command at the prompt. It will not display any message, but when the shell prompt returns, your system will have a /etc/shadow file and /etc/passwd file encrypted password data is replaced with an x. The password data is now moved to /etc/shadow.
 
Old 02-19-2005, 06:29 PM   #3
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Re: Is it possible to break the system password?

Quote:
Originally posted by ccalvin12
Is it possible that if the password file of the Linux gets copied, cracker can break the system password? In what way I can make the Linux password protection more secure. Does any one have idea about it?
To more directly answer your questions -- Yes. If a person gets the file that contains your crypted passwords (be it passwd or shadow) they can get the passwords out of the file ... eventually. The length of time they'll need is based on a lot of things, but mostly what crypto algorythm your system uses and how well you pick your passwords .

If you're not using shadow passwords, then you should be. RonRice offers good info on that.
 
Old 02-21-2005, 03:02 PM   #4
mikeyt_333
Member
 
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353

Rep: Reputation: 30
Check out John the Ripper: http://www.openwall.com/john/ that'll do it, it can take incredibly long for a good password (Incredibly long = days +, weeks etc...).

Last edited by mikeyt_333; 02-21-2005 at 03:04 PM.
 
Old 02-22-2005, 09:16 AM   #5
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
well, it you would use blowfish cracking is posible... but not now. Of course it depends on the implementation, but until now there is no report of breaking blowfish. This may change in the future of course.
 
Old 02-22-2005, 10:31 AM   #6
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
You can still dictionary blowfish, it just takes longer. That's why you should use nasty passwords like h&cX_P>.q
 
Old 02-22-2005, 11:02 AM   #7
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
no, with dictionary it will take forever. That was tested already. Your passord advice is no better that using your name in terms of brute force breaking passwords (still try blowfish).

If you want real protection then use OTP. There is no way to quess it (unless you give them away )

Last edited by broch; 02-22-2005 at 11:12 AM.
 
Old 02-22-2005, 11:38 AM   #8
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Quote:
Originally posted by broch
no, with dictionary it will take forever. That was tested already. Your passord advice is no better that using your name in terms of brute force breaking passwords (still try blowfish).

If you want real protection then use OTP. There is no way to quess it (unless you give them away )
Oh really? So you're telling me that it's just as likely that someone will have |[q?AYJ)a. in their dictionary file as it is that they will have John or Mike? I doubt that ...

No argument about OTP, but I think we can all agree that a new user would find it easier to make up an ugly password and change it often than to set up OTP on all the services a box can offer ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An RPM Script to break my system! haitham Linux - Certification 45 03-28-2006 08:57 AM
How to know when someone tried to break root password? mayank_a Linux - General 3 10-10-2005 08:51 PM
break grub loader password alvi2 Linux - Security 3 05-25-2005 01:51 AM
Can rpm2tgz break your system? casimir Slackware 3 05-31-2004 01:43 AM
How to break linux password TAAN Linux - Networking 8 09-16-2003 05:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration