How secure is the login password?

How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really?

I've read that the KDE folks say that using the same password for kWallet and for the user is insecure (Gnome keyring unlocks all of the passwords when you log in). Is this really insecure?

How easy is it to break a user login password? I presume that a short an easy password consisting of letters only can be found in rainbow tables (thou using salt probably helps mitigate this).

Let's say I use a 12 character password consisting of small and capital letters, numbers and special characters. This should be hard to brute force or find in any rainbow tables if it's properly selected, right?

Quote:

---

Originally Posted by SkyHiRider

How secure is /etc/shadow really? What kind of hash function does the system use to secure the passwords and how secure is it really?

I've read that the KDE folks say that using the same password for kWallet and for the user is insecure (Gnome keyring unlocks all of the passwords when you log in). Is this really insecure?

How easy is it to break a user login password? I presume that a short an easy password consisting of letters only can be found in rainbow tables (thou using salt probably helps mitigate this).

Let's say I use a 12 character password consisting of small and capital letters, numbers and special characters. This should be hard to brute force or find in any rainbow tables if it's properly selected, right?

---

First of all, the shadow file can only be viewed from the root account (or from a person given too broad access to sudo commands which is typical for Ubuntu.)

Having your login open all there other stuff (without obtaining a password from you) is bad because anyone that can gain root access can login as you and your encrypted stuff would not be open to that user.

The "sudo" has a very good way of restricting what a user is allowed to do via it but it seems that the new people to Unix/Linux seems to want it to allow full and open usage (a very insecure practice.)

Having auto "unlocking" of your stuff is by far more insecure than the "shadow" file.

man crypt
for the hash function. /etc/shadow is more secure than keeping the encrypted passwords in /etc/passwd because it keeps them from being world readable on the system. But if someone can get a copy of your shadow file, it can be brute forced, eventually. A password such as you describe would likely take a very very long time.

Using the same password for two functions, particularly on the same system, is inherently less secure than using different ones, because it lets you at both functions with one theft or crack. Unlocked keyrings have some inherent vulnerabilities in that the passphrase or the whole keyring ends up loaded into system memory, and available to anything that can read that.

Give me unrestricted physical access to your machine, and your password is irrelevant. Give me a user account with sudo access, and it's the same. I can reset it to whatever I want, and access anything. There is no way to prevent that. It's the same for any OS. But that's not what passwords are for anyway. For preventing network access to a machine, a password such as the OP describes is certainly sufficient, because it would take longer to crack it by brute force than it's worth.

RE: 'How secure is the User password'
Zero point zero zero, and it doesn't matter how it is chosen. A computer of class teraflop/s can break any code and any password within seconds, and a computer of class petaflop/s - in nonseconds.

This password is purely symbolic and is put to denote that 'third party' should not go there, not that it could not.

Quote:

---

Originally Posted by user-f11

RE: 'How secure is the User password'
Zero point zero zero, and it doesn't matter how it is chosen. A computer of class teraflop/s can break any code and any password within seconds, and a computer of class petaflop/s - in nonseconds.

This password is purely symbolic and is put to denote that 'third party' should not go there, not that it could not.

---

I know that if someone has access to a supercomputer that can do billions if not trillions of operation per second my pass can be cracked :) But gaining that kind of hardware is probably not very cheap and I dare to say that if my pass needs a supercomputer to crack it than I feel secure :)

I also know that if someone has physical access to my pc he can get inside by simply reseting the root password, I did that too when my server was hacked and the root pass was changed. It takes a few minutes to do that.

But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).

Are there rainbow tables for the hash function used in shadow and how decent the tables are if they exist?

Quote:

---

Originally Posted by alf55

First of all, the shadow file can only be viewed from the root account (or from a person given too broad access to sudo commands which is typical for Ubuntu.)

Having your login open all there other stuff (without obtaining a password from you) is bad because anyone that can gain root access can login as you and your encrypted stuff would not be open to that user.

The "sudo" has a very good way of restricting what a user is allowed to do via it but it seems that the new people to Unix/Linux seems to want it to allow full and open usage (a very insecure practice.)

Having auto "unlocking" of your stuff is by far more insecure than the "shadow" file.

---

Thats a good point, if someone resets my user password and logs in as me, will GNOME keyring unlock automatically or will it prompt for the old password as the login and pass in the keyring don't match? Will probably have to ask this one on the GNOME forum.

And I fully agree that using sudo as a variant of su is bad practice. Don't know if Ubuntu gives sudo all the rights or just limited access, but it's probably the first case.

Quote:

---

Originally Posted by SkyHiRider

Are there rainbow tables for the hash function used in shadow and how decent the tables are if they exist?


Thats a good point, if someone resets my user password and logs in as me, will GNOME keyring unlock automatically or will it prompt for the old password as the login and pass in the keyring don't match? Will probably have to ask this one on the GNOME forum.

And I fully agree that using sudo as a variant of su is bad practice. Don't know if Ubuntu gives sudo all the rights or just limited access, but it's probably the first case.

---

Yes, there are such rainbow tables. Generally the ones with longer more complex passwords cost $. Use of sudo is a step in the right direction, but can almost certainly be exploited for a root shell unless a whitelist approach is taken, and quite possibly even then.

I think Gnome keyring will prompt under the circumstances you describe, but would have to run a test to say for sure. If you test it, also check to see what happens if you already have a Gnome session running on the system. I can say for sure that the ssh/PKI key manager keychain will give access to the running key-agent to second/subsequent logins, so be aware of that. If you run keychain for your ssh keys, anyone who can su to your account while you're logged in can exploit your keys to log onto other systems where you have authorized_key access.

I don't understand the problem with sudo. Sudo is like su, but it expires automatically after 5 minutes. With su, you have to remember to log out, otherwise your system is open to anyone forever. With sudo, you are logged out automatically. If you don't want a user to be able to use sudo or su, just don't give them admin rights.

Quote:

---

But what I really wanted to know is if I have a long and pretty decent password stored in the shadow file (hashed) is there a simpler way for a hacker to get the actual password (I don't care if he resets it, as I can always do the same if its my machine on my turf, but if he finds my root password he can gain my actual password and that would be a problem).

---

I'm not sure I understand your concern here. If he has the root password, he doesn't need your password. Root allows him to do whatever he wants with your account. Unless you have your /home encrypted with a different password, in which case I can see reasons for protecting that password. It's my understanding that the password itself wouldn't be stored anywhere, just the hash, which would be compared to the hash of the password you enter.

Quote:

---

Originally Posted by sgosnell

I don't understand the problem with sudo.

---

Apparently not. I suppose the 5 minute expiration you speak of is the default period for which the sudo user's password is "remembered", which does reduce risk somewhat, as long as the user has not been configured as NOPASSWD in sudoers.

But if someone does "sudo /bin/bash", that session does not expire after 5 minutes, it's the functional equivalent of sudo. And if you blacklist /bin/bash and the other shells, they can still get a shell via an escape from vi or other programs with shell escapes.