5

My question is if someone hacked privileges on /etc/shadow file , can he crack the passwords of the system users.

If yes , how can i secure more my passwords and how to make it difficult on a cracker to easily crack my users passwords .

Any Suggestion?

nux
  • 38,017
  • 35
  • 118
  • 131

2 Answers2

7

While DES should never be used, MD5 is also weak. Check your /etc/login.defs file for the ENCRYPT_METHOD setting. SHA512 is the strongest possible option as far as I know. If your hashes in /etc/shadow start with "$6$", that's SHA512 which I think is not known to be broken (unlike DES and MD5). Of course, strong password hashes do not mean that simple passwords cannot still be easily cracked - they can.

Jeff
  • 79
  • 1
  • 1
    It doesn't matter what hash you use; if you have the hash and enough time, and assuming the password is relatively short ( it isn't hundreds of characters long or more ), then you can find it. – psusi Mar 01 '14 at 05:22
  • 1
    @psusi, The strngth of a password as dervied from it's length is limited to the length (in bytes) of the hash generated. You can't have more entropy then the storage mechanism itself. For example, sha512 hashes are 64 bytes long, so any password, no matter how long, cannot be more secure than 64 bytes would allow. – Soviero Mar 01 '14 at 07:22
  • @KevinSoviero, the question is not which has more entropy, but how difficult it is to find the password, given the hash. The that is entirely dependent on the time it takes to compute the hash and how complex the password is. The length of the hash only matters if you are looking for a duplicate password that gives the same hash. – psusi Mar 01 '14 at 19:27
5

After research , i can answer this questions :

Can passwords be cracked : Yes

How : by using crack software like : John the Ripper security software which is open source and can be installed easily.

What should be the level of cracker : Newbie , because this software is pretty good and there are plenty of instructions on the net how to use it .

Here is How easy to use it to crack passwords! Link

What should i do to be more secure ?

1) Make sure you use SHA512 on your passwords instead of DES and md5 !
2) Use a password cracker  to filter out weak passwords .
3) Use different passwords on different systems.
4) force users to change their passwords - the root password should be changed even more frequently!
5) Your passwords should be:
At least 8 characters long.
Have at least one number.
Have at least one non-alphanumeric character.
Not consist of a dictionary word.
Have both upper and lower case letters.

References : dankalia

nux
  • 38,017
  • 35
  • 118
  • 131
  • 1
    Maybe... but http://www.stormpath.com/blog/5-myths-password-security – Rmano Mar 01 '14 at 03:23
  • thats what am talking about , i want to learn how to make my system more secured . – nux Mar 01 '14 at 03:26
  • 2
    @Rmano not sure what that link has to do with this question. nux I think some of the information you posted, most of, is a bit outdated. Ubuntu has not used md5 or des for years. – Panther Mar 01 '14 at 03:41
  • @dankalia answer is OK but I'd change it a bit: 1. Use a random password generator. After a few times of typing it you will memories it. 2. With strong enough, random unshared passwords (I.e. not reused for multiple accounts), I find forcing password resetting to be detrimental, don't do this. 3. Use an encrypted password store (e.g. lastpass, but there are plenty others) to backup the passwords (e.g. just in case you forget, or passwords you don't use so often). – Capt. Crunch Mar 01 '14 at 23:19
  • While I agree with your points 1 to 3, I strongly disagree with 4 and 5. 4: When users are forced to change passwords often, they use very simple ones, and write it on a post-it note on the monitor or similar. 5: the passwords should be longer (12 characters or more? 8 is definitely not enough) and the length is the only thing that really counts. The mixed-case-numbers-etc. rules that are forced on users are BS and lead to, again, passwords on post-its. A long password with common words is much better than "8!x5A?~.". Try it with JTR. And of course, see the xkcd quote – mivk Jan 17 '19 at 11:55