Results 1 to 10 of 21
How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really? I've read that the KDE folks ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 03-13-2011 #1
- Join Date
- Oct 2009
How secure is the login password?
How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really?
I've read that the KDE folks say that using the same password for kWallet and for the user is insecure (Gnome keyring unlocks all of the passwords when you log in). Is this really insecure?
How easy is it to break a user login password? I presume that a short an easy password consisting of letters only can be found in rainbow tables (thou using salt probably helps mitigate this).
Let's say I use a 12 character password consisting of small and capital letters, numbers and special characters. This should be hard to brute force or find in any rainbow tables if it's properly selected, right?
- 03-14-2011 #2
- Join Date
- Jan 2005
- Saint Paul, MN
Having your login open all there other stuff (without obtaining a password from you) is bad because anyone that can gain root access can login as you and your encrypted stuff would not be open to that user.
The "sudo" has a very good way of restricting what a user is allowed to do via it but it seems that the new people to Unix/Linux seems to want it to allow full and open usage (a very insecure practice.)
Having auto "unlocking" of your stuff is by far more insecure than the "shadow" file.
- 03-14-2011 #3
for the hash function. /etc/shadow is more secure than keeping the encrypted passwords in /etc/passwd because it keeps them from being world readable on the system. But if someone can get a copy of your shadow file, it can be brute forced, eventually. A password such as you describe would likely take a very very long time.
Using the same password for two functions, particularly on the same system, is inherently less secure than using different ones, because it lets you at both functions with one theft or crack. Unlocked keyrings have some inherent vulnerabilities in that the passphrase or the whole keyring ends up loaded into system memory, and available to anything that can read that.
- 03-14-2011 #4
Give me unrestricted physical access to your machine, and your password is irrelevant. Give me a user account with sudo access, and it's the same. I can reset it to whatever I want, and access anything. There is no way to prevent that. It's the same for any OS. But that's not what passwords are for anyway. For preventing network access to a machine, a password such as the OP describes is certainly sufficient, because it would take longer to crack it by brute force than it's worth.
- 03-14-2011 #5
RE: 'How secure is the User password'
Zero point zero zero, and it doesn't matter how it is chosen. A computer of class teraflop/s can break any code and any password within seconds, and a computer of class petaflop/s - in nonseconds.
This password is purely symbolic and is put to denote that 'third party' should not go there, not that it could not.
- 03-14-2011 #6
- Join Date
- Oct 2009
I also know that if someone has physical access to my pc he can get inside by simply reseting the root password, I did that too when my server was hacked and the root pass was changed. It takes a few minutes to do that.
But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).
Are there rainbow tables for the hash function used in shadow and how decent the tables are if they exist?
And I fully agree that using sudo as a variant of su is bad practice. Don't know if Ubuntu gives sudo all the rights or just limited access, but it's probably the first case.
- 03-14-2011 #7
I think Gnome keyring will prompt under the circumstances you describe, but would have to run a test to say for sure. If you test it, also check to see what happens if you already have a Gnome session running on the system. I can say for sure that the ssh/PKI key manager keychain will give access to the running key-agent to second/subsequent logins, so be aware of that. If you run keychain for your ssh keys, anyone who can su to your account while you're logged in can exploit your keys to log onto other systems where you have authorized_key access.
- 03-14-2011 #8
I don't understand the problem with sudo. Sudo is like su, but it expires automatically after 5 minutes. With su, you have to remember to log out, otherwise your system is open to anyone forever. With sudo, you are logged out automatically. If you don't want a user to be able to use sudo or su, just don't give them admin rights.
- 03-14-2011 #9But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).
- 03-14-2011 #10
But if someone does "sudo /bin/bash", that session does not expire after 5 minutes, it's the functional equivalent of sudo. And if you blacklist /bin/bash and the other shells, they can still get a shell via an escape from vi or other programs with shell escapes.