Linux Password security
Passwords are a basic part of security so i thought i'd write a little tutorial on passwords for the fellow newbs.
I. Password basics
II. Password cracking
VI.Password protection and good practices.
We should all know that passwords are stored in encrypted form. An encrypted password becomes encrypted by using a reapeating alogrythym to convert text to an unreadable form. So if your password was "Password" it would look like hhaIOIs9iskk (or something to that same effect. I wont go into encryptions here but if you want to learn more about them, check out Ankits tutorials at www.hackingtruths.box.sk
/etc/passwd is the file in which older linux versions used to store their encrypted passwords which proved to be an unsafe practice. linux password files look like this
root:agdKJd372:0:0:root:/root:/bin/bash the first part "root" is the user name. The second "agdKJd372" is the encrypted password. The third is the user ID number, fourth is the group ID number, fifth is the comment of the user or most of the time the user name, sixth is the home directory the user is put in when they log in, and the last is the shell they are logged in to. leaving the /ect/passwd file open to be read leaves the system very vulnerable to a password attack, so on most distros, the passwd file is shadowed and the encrypted password is kept in the /etc/shadow. a shadowed password looks like this
root:*:root:/root:/bin/bash notice how the password is only a "*" now. anyone with half a brain keeps their passwords shadowed and leaves the /etc/shadow permissions to only be readable by root. we will get more into shadowed passwords later.
The "passwd" command changes the password for the user you are logged in as, if you know your password. A security flaw that lets you change the root password is very easy to do and should be disabled, such as: when booting the computer, at the "Lilo boot" prompt type in "linux single" and that usually gives you root permissions. Then if you execute "linuxconf" you can change the root password.
Password cracking is a common way for hackers to get passwords. without password cracking, they would resort to having to guess one by one. Usually their are "brute force attacks" and "dictionary attacks" The former being a method of guessing every combination of letters and numbers for a given amount of characters and the latter bieng the method of using every word in the dictionary. these programs are very easy to find and have proved their effectiveness. Usually a hacker will make a copy of the encrypted password file and use one of these programs to get the unencrypted password. Evidence of an attack can be found in the /var/log file and looks like a large number of unseccessful logins.
Ways to protect your machine from cracking programs such as "John the Ripper," are to get these programs and test your own passwords, make the password files only readable by root, always have a close eye on your log files, always keep /etc/passwd shadowed.
pwck-->checks all the passwords on your system to make sure all of the information is valid
pwconv-->enables shadowing and makes /etc/shadow
pwunconv-->the opposite of pwconv
chage--> used to determine when a user must change his password
gpasswd-->add new users to a group
groupadd-->make a group
groupmod-->modify a group
passwd-->change your password
Password protection and good practices
And here are some ips to make your passwords strong.
- dont use passwords that have a combination of a name, word, and number, such as "marquis5150" or "jenny8675309"
- dont use words that you can find in the dictionary
- dont use your name, family members names, birthdays, pets etc.. or any of them backwards.
- use a password that is easy to remember, very hard to guess, and not in the dictionary. such as acronyms
an example would be this: say you take a quote like "I've got people to do, and things to see" and chang it to "Igptd, atts"
- use different passwords on different systems
- have a utility such as "passwd+" "Npasswd" "Anlpasswd" "PAM" to make sure that passwords aren't weak
- if you are crazy, use one time passwords: get "SecureID" or "S/Key" these make sure that the password can only be used once as to make sure that even if a hacker sniffed the password, it isn't going to work.
- run password crackers
Well, that was it. I hope i helped some people out that total newbies in the security scene or even seasoned professionals.
The importance of strong passwords cannot be underestimated.
But you must also ensure that your password remains 'safe'
1. Never put you password on a post-it on your screen
2. Beware sending your password unencrypted
(if you telnet to a remote machine, there is a possibility that your password could be sniffed off the wires, alternative [& more secure] choices are SSH or SRP)
3. Change your password at regular intervals
4. Use long 'pass phrases' rather than passwords (if possible) and as well as adding mixed case, also use spaces, and extra ^$"$^%'s to make it more unique.
I hope this helps.
Good posts both...
In the newer linux versions you can use passwords up to 127 characters..
It is not realy neccesary to make 'm that long...
But 8 characters is a bare minimum, else a simple brute force could do the passwd in about a day..