1 / 10

How Linux Stores Passwords

How Linux Stores Passwords. Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id

nona
Download Presentation

How Linux Stores Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. How Linux Stores Passwords

    2. How Linux Stores Passwords Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable.This can be somewhat of a security risk. While some other Linux distributions forces you to install the Shadow Password Suite in order to use the shadow format, Red Hat makes it simple. To switch between the two formats, type (as root).

    3. Password Protection For security purposes, the Red Hat Linux installation program defaults to using the Message-Digest Algorithm (MD5) and shadow passwords. It is highly recommended that you do not alter these settings. If MD5 passwords during installation, the old DES (Data Encryption Standard) format is used. This allows alphanumeric of up to eight bits and is only 56 bit in encryption level.

    4. Password Shadowing As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk. Shadow commands: /usr/sbin/pwconv: To convert to the shadow format. /usr/sbin/pwunconv: To convert back to the traditional format. With shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this: smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash

    5. Password Hashing Con’td If password shadowing is deselected then passwords are stored in the /etc/passwd folder as one ways hash world readable file. This leaves the machine vulnerable to attacks if someone is able to physically gain access and use one numerous password crackers.

    6. Choosing Passwords DON’TS! Do Not Use Only Words or Numbers Do Not Use Recognizable Words Do Not Use Words in Foreign Languages Do Not Use Hacker Terminology Do Not Use Personal Information Do Not Invert Recognizable Words Do Not Write Down Your Password Do Not Use the Same Password For All Machines

    7. Make the Password At Least Eight Characters Long Mix Upper and Lower Case Letters Mix Letters and Numbers Include Non-Alphanumeric Characters Pick a Password You Can Remember Examples of strong passwords: Turn left on monroe right on tenesseee, speed limit 35. Password: TloMroTsl35 I want an A on Calculus 2 in the Fall, 90%. Password: IwaAoC2itF90% Choosing Passwords DOS!

    8. Salting (cryptography) In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The salt is usually followed by a password or a paraphrase. Salt Data is used to complicate dictionary attacks which use preencryption dictionaries to crack passwords. This protection works best when the salt data is kept secret and in a separate folder just incase the Database (SAM file) is stolen. Early Unix systems used a 12-bit salt, but modern implementations use larger values. Salt is closely related to the concept of nonce. Cryptographic protocols that use salts include SSL and Ciphersaber.

    9. Salting Cont’d Salting makes a dictionary attack impractical, especially when the salt being used is very large. Making it hard for the hacker to create a rainbow table consisting of (salt + password) because of space and time inefficiencies. Example: Assume a user’s (encrypted) secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt. The salted key is now the original password appended to this random 32-bit salt. Because of this salt, the attacker’s pre-calculated hashes are of no value. He must calculate the hash of each word with each of 232 (4,294,967,296) possible salts appended until a match is found. To complete this brute force attack the attacker must now compute 800 trillion hashes, instead of only 200,000.

    10. References Linux Password & Shadow File Formats: http://tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html Front page image: http://www.file-extensions.org/imgs/company-logo/891/linux-online-inc.jpg Password Security: http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html Salt (cryptography): http://en.wikipedia.org/wiki/Salting_(cryptography)

More Related