Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 21
How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really? I've read that the KDE folks ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59

    How secure is the login password?


    How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really?

    I've read that the KDE folks say that using the same password for kWallet and for the user is insecure (Gnome keyring unlocks all of the passwords when you log in). Is this really insecure?

    How easy is it to break a user login password? I presume that a short an easy password consisting of letters only can be found in rainbow tables (thou using salt probably helps mitigate this).

    Let's say I use a 12 character password consisting of small and capital letters, numbers and special characters. This should be hard to brute force or find in any rainbow tables if it's properly selected, right?

  2. #2
    Linux Enthusiast
    Join Date
    Jan 2005
    Location
    Saint Paul, MN
    Posts
    673
    Quote Originally Posted by SkyHiRider View Post
    How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really?

    I've read that the KDE folks say that using the same password for kWallet and for the user is insecure (Gnome keyring unlocks all of the passwords when you log in). Is this really insecure?

    How easy is it to break a user login password? I presume that a short an easy password consisting of letters only can be found in rainbow tables (thou using salt probably helps mitigate this).

    Let's say I use a 12 character password consisting of small and capital letters, numbers and special characters. This should be hard to brute force or find in any rainbow tables if it's properly selected, right?
    First of all, the shadow file can only be viewed from the root account (or from a person given too broad access to sudo commands which is typical for Ubuntu.)

    Having your login open all there other stuff (without obtaining a password from you) is bad because anyone that can gain root access can login as you and your encrypted stuff would not be open to that user.

    The "sudo" has a very good way of restricting what a user is allowed to do via it but it seems that the new people to Unix/Linux seems to want it to allow full and open usage (a very insecure practice.)

    Having auto "unlocking" of your stuff is by far more insecure than the "shadow" file.

  3. #3
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    man crypt
    for the hash function. /etc/shadow is more secure than keeping the encrypted passwords in /etc/passwd because it keeps them from being world readable on the system. But if someone can get a copy of your shadow file, it can be brute forced, eventually. A password such as you describe would likely take a very very long time.

    Using the same password for two functions, particularly on the same system, is inherently less secure than using different ones, because it lets you at both functions with one theft or crack. Unlocked keyrings have some inherent vulnerabilities in that the passphrase or the whole keyring ends up loaded into system memory, and available to anything that can read that.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    507
    Give me unrestricted physical access to your machine, and your password is irrelevant. Give me a user account with sudo access, and it's the same. I can reset it to whatever I want, and access anything. There is no way to prevent that. It's the same for any OS. But that's not what passwords are for anyway. For preventing network access to a machine, a password such as the OP describes is certainly sufficient, because it would take longer to crack it by brute force than it's worth.

  6. #5
    Linux Newbie user-f11's Avatar
    Join Date
    Feb 2011
    Location
    Sofia, BG
    Posts
    185
    RE: 'How secure is the User password'
    Zero point zero zero, and it doesn't matter how it is chosen. A computer of class teraflop/s can break any code and any password within seconds, and a computer of class petaflop/s - in nonseconds.

    This password is purely symbolic and is put to denote that 'third party' should not go there, not that it could not.

  7. #6
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    Quote Originally Posted by user-f11 View Post
    RE: 'How secure is the User password'
    Zero point zero zero, and it doesn't matter how it is chosen. A computer of class teraflop/s can break any code and any password within seconds, and a computer of class petaflop/s - in nonseconds.

    This password is purely symbolic and is put to denote that 'third party' should not go there, not that it could not.
    I know that if someone has access to a supercomputer that can do billions if not trillions of operation per second my pass can be cracked But gaining that kind of hardware is probably not very cheap and I dare to say that if my pass needs a supercomputer to crack it than I feel secure

    I also know that if someone has physical access to my pc he can get inside by simply reseting the root password, I did that too when my server was hacked and the root pass was changed. It takes a few minutes to do that.

    But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).

    Are there rainbow tables for the hash function used in shadow and how decent the tables are if they exist?

    Quote Originally Posted by alf55 View Post
    First of all, the shadow file can only be viewed from the root account (or from a person given too broad access to sudo commands which is typical for Ubuntu.)

    Having your login open all there other stuff (without obtaining a password from you) is bad because anyone that can gain root access can login as you and your encrypted stuff would not be open to that user.

    The "sudo" has a very good way of restricting what a user is allowed to do via it but it seems that the new people to Unix/Linux seems to want it to allow full and open usage (a very insecure practice.)

    Having auto "unlocking" of your stuff is by far more insecure than the "shadow" file.
    Thats a good point, if someone resets my user password and logs in as me, will GNOME keyring unlock automatically or will it prompt for the old password as the login and pass in the keyring don't match? Will probably have to ask this one on the GNOME forum.

    And I fully agree that using sudo as a variant of su is bad practice. Don't know if Ubuntu gives sudo all the rights or just limited access, but it's probably the first case.

  8. #7
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    Quote Originally Posted by SkyHiRider View Post

    Are there rainbow tables for the hash function used in shadow and how decent the tables are if they exist?


    Thats a good point, if someone resets my user password and logs in as me, will GNOME keyring unlock automatically or will it prompt for the old password as the login and pass in the keyring don't match? Will probably have to ask this one on the GNOME forum.

    And I fully agree that using sudo as a variant of su is bad practice. Don't know if Ubuntu gives sudo all the rights or just limited access, but it's probably the first case.
    Yes, there are such rainbow tables. Generally the ones with longer more complex passwords cost $. Use of sudo is a step in the right direction, but can almost certainly be exploited for a root shell unless a whitelist approach is taken, and quite possibly even then.

    I think Gnome keyring will prompt under the circumstances you describe, but would have to run a test to say for sure. If you test it, also check to see what happens if you already have a Gnome session running on the system. I can say for sure that the ssh/PKI key manager keychain will give access to the running key-agent to second/subsequent logins, so be aware of that. If you run keychain for your ssh keys, anyone who can su to your account while you're logged in can exploit your keys to log onto other systems where you have authorized_key access.

  9. #8
    Linux Enthusiast sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    507
    I don't understand the problem with sudo. Sudo is like su, but it expires automatically after 5 minutes. With su, you have to remember to log out, otherwise your system is open to anyone forever. With sudo, you are logged out automatically. If you don't want a user to be able to use sudo or su, just don't give them admin rights.

  10. #9
    Linux Enthusiast sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    507
    But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).
    I'm not sure I understand your concern here. If he has the root password, he doesn't need your password. Root allows him to do whatever he wants with your account. Unless you have your /home encrypted with a different password, in which case I can see reasons for protecting that password. It's my understanding that the password itself wouldn't be stored anywhere, just the hash, which would be compared to the hash of the password you enter.

  11. #10
    Linux Enthusiast Mudgen's Avatar
    Join Date
    Feb 2007
    Location
    Virginia
    Posts
    664
    Quote Originally Posted by sgosnell View Post
    I don't understand the problem with sudo.
    Apparently not. I suppose the 5 minute expiration you speak of is the default period for which the sudo user's password is "remembered", which does reduce risk somewhat, as long as the user has not been configured as NOPASSWD in sudoers.

    But if someone does "sudo /bin/bash", that session does not expire after 5 minutes, it's the functional equivalent of sudo. And if you blacklist /bin/bash and the other shells, they can still get a shell via an escape from vi or other programs with shell escapes.

Page 1 of 3 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •