Illuminating shadow passwords

by Paul Dunne
Be the first to comment | I like it!
More »
on this topic
March 26, 2001, 04:21 PM —  LinuxWorld.com — 


Why shadow passwords? Simply put, the shadow password scheme addresses the major shortcoming of the original Unix password-handling scheme, the fact that the password list was stored as a world-readable file.



The encoding mechanism for Unix passwords was (and is) very secure, being a one-way algorithm and therefore easy to apply but impossible to reverse. However, the password file itself is vulnerable to a cracking technique known as a dictionary attack, in which all the words from a large dictionary file are encoded and compared with the encoded password (readable by any user, remember) in /etc/passwd. This dictionary file is usually based on a normal English-language dictionary, with the addition of slang and weak passwords like "gandalf," "xyzzy," "qwerty," or even (God help us) "password." If the two match, then the original unencoded word is the password.


This may sound simple, but it takes a while to run the tens, or hundreds, of thousands of dictionary entries against a single password. Still, it is not extremely difficult with today's high-performance computing systems. Shadow passwords retain the Unix password mechanism and its backward compatibility with the huge Unix application base, while preventing the dictionary attack.

LinuxWorld.com links

LinuxWorld.com home

Best of LinuxWorld.com

The Legacy Files

The Penguin Brief

Version Control

Linux links

Linux forums


An overview



Let's take a look at the various components of the shadow password system. It uses four files: /etc/passwd, /etc/shadow, /etc/group, and /etc/login.defs.


/etc/passwd


The /etc/passwd file is the same standard colon-delimited file used since the Unix days, but with a slight difference: The second field, which previously contained the password, now holds only an x, which indicates the actual encrypted password is now stored elsewhere.


Rules for good passwords


Do not use:

  • The account name


  • Any word found in a dictionary


  • Names of people or things


  • Publicly available information about yourself, e.g. your phone number


  • Keyboard sequences like "qwerty"



Do use:


  • Longer passwords -- at least six characters is a good rule


  • A mixture of numbers and letters


  • A mixture of uppercase and lowercase letters



The maximum practical length for a password (if you do not have MD5 capability) is eight characters. You can use longer passwords without MD5, but only the first eight characters are significant. So "qwertyuiZ13xi" is not a good password because it is effectively just "qwertyui," an easily guessable keyboard sequence.


The shadow password suite, like the older Unix method, uses the seventh GECOS field of /etc/passwd as an extension mechanism for adding other fields of information.



This field contains the user's full name. On systems with user disk quotas enabled, the flags for ulimit, mask, and niceness can also be set there.



ulimit controls the maximum size for user-created files.



umask is the permissions

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Build your tech library with our book giveaways.

Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams

Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!

 

Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media

Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
More Resources