Printable View
Still learning to use Linux, just for a laugh I tried the John program on /etc/shadow and in 41 seconds it showed my password on the screen. So for a moment I thought "OMG My Passord Is Teh Suxxor" but then I thought, who the hell cares?
A real attacker wouldn't be able to get at the password file unless they already had root access, in which case they wouldn't bother with my password would they?
These are my personal views:
1. That is what John the Ripper is supposed to do.
2. I would not assume that your password file cannot be accessed without root. Or that root cannot be remotely obtained on your system.
3. 41 Seconds isn't very long. You might consider using a longer and stronger password.
4. Don't assume that someone is not interested in your password. Some things you can really only hope to reset it, but that is a dead giveaway that a compromise has occurred. So, to raise as little suspicion as possible you may want to find and use the existing one?
To make a long password that is easily remembered:
1. Pick a seed: "PaSsWoRd" then pack it out:
2. €0987654321"PaSsWoRd"?><MNBVCXZ|£
I would imagine that would take a little while?..............the packing is just the top and bottom rows of the keyboard.
You may like to try that method to see how effective it is? I must admit that I have not tried the latest tools ;)
Nihil,
great idea on the "packing". I'd been doing variations on upper/lower case, subbing numbers for letters (l337). But packing is a great idea.
Yes, you should absolutely care. There have been more than a handful of directory traversal exploits out there over the years, many of which gave you access to the shadow PW file as well as many other "protected" areas of the file system. In fact, just a few weeks back, I found one in a very well respected product.
Do yourself a favor, especially if you're going to expose that host to the internet, follow security best practices. Good passwords are the foundation to good security.
--TH13
I wasn't, I was just assuming that if someone had already compromised my system that far, they wouldn't need my password. But I guess I was wrong...Quote:
Originally Posted by nihil
I guess that's what I wanted to know. Thanks all, I guess it's time for me to get a new password.Quote:
Originally Posted by thehorse13
i remember an incident with a client i had where some one got his gmail password. It was his personal account and he was aware. Doesnt seem like much just a seldom used personal email account. Howerver the attacker searched it and retrived passwords and documents descripbing how this guys bussiness was set up. From there he was able to gain full access to their networks.My point is you should protect all your passwords. Maby try a pass phrase such as "this is my password" that right there is easy to remember and is 18 characters. at 18^26th power that leads to a pretty large number and a bit of time to brute force.
It's still all lower case standard letters.
http://www.cs.umd.edu/faq/Passwords.shtml
Most programs that search for passwords would routinely try replacing e's with 3s and a's with 4s etc - turning your password into leetspeak isn't really protecting it very much. Not sure about the packing .... I guess if you could make your own individual packing round a word and remember the sequence it would be a lot stronger.Quote:
Originally Posted by fourdc
Yes, a "good quality" dictionary will contain leetspeak and known "default" passwords as well.
If it is brute force/rainbow tables then it isn't looking for words anyway.
I like to use the <alt> key and the number pad to generate characters in my password.
Damn! My secret's out now! lol