Linux Password Question

[brownmk87]

Hi All,

I am not a Linux user but and learning about it in a class and thought I would check it out. My teacher said that two linux users cannot have the same passwords but never explained why?

Basic but can anyone help me out?

[Irithori]

They should not, because this is close to a "shared account" aka: you as a admin cannot be sure who really is logged in.
But users can have the same password.

[Rubberman]

They should not, because this is close to a "shared account" aka: you as a admin cannot be sure who really is logged in.
But users can have the same password.

Yes, users can have the same plain-text password. When you set your password, the system takes a number of transient factors (date, time, user process id, whatever) to create a "salt" value which is used to create the encrypted version of your password, and that is what is stored in the system files, such as /etc/shadow. When you login, the salt value for your account is found and used to encrypt the plain-text that you type in. That results in an encrypted key that is then compared with what is in the system database. So, even if you and someone else has the same plain-text password, the system will create a different hash/salt value to create the encrypted version. The plain text is never stored on the system, and the encrypted value cannot be used to derive the plain-text version - it is what we call a one-way cipher.

[hazel]

I think what your teacher meant was that two users should not have the same password. It's a gaping security hole. If one of them got cheesed off with the other, he could simply log on to his account and delete all his files!

[Rubberman]

I think what your teacher meant was that two users should not have the same password. It's a gaping security hole. If one of them got cheesed off with the other, he could simply log on to his account and delete all his files!

Sorry Hazel, but this doesn't make sense to me. In order for students to know that they have the same password, they have to share them, which is what passwords are trying to avoid. Also, since the ciphers used to generate the encrypted (stored) version are one-way (you cannot derive the plain-text password from the encrypted version), there is no way that the system could determine that two students have identical passwords without running the encryption algorithm on the plain text against all the stored password cipher keys (salt values). Yes, you can do that, but that becomes a security hole also - it is basically what the more effective brute-force attacks do.

So, in my opinion, if what you say is correct, then that teacher seriously needs a remedial course in computer security.

[Manko10]

Yes. It would also be nonsense if Linux warned you because someone has the same password. Then it should be easy for you to guess whose password this is.
There is no security risk based on password similarity. More important is to use safe passwords which no one could guess with brute-force and dictionary attacks. And of course if you use strong passwords it's less likely to have the same password for two users but if that happens it is not be a big issue because the password hash is salted.