How Linux Stores Passwords - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

How Linux Stores Passwords

Description:

While some other Linux distributions forces you ... Password Hashing Con'td ... it hard for the hacker to create a rainbow table consisting of (salt password) ... – PowerPoint PPT presentation

Number of Views:123
Avg rating:3.0/5.0
Slides: 11
Provided by: xav852
Category:

less

Transcript and Presenter's Notes

Title: How Linux Stores Passwords


1
How Linux Stores Passwords
2
How Linux Stores Passwords
  • Traditional Unix systems keep user account
    information, including one-way encrypted
    passwords, in a text file called /etc/passwd''.
    As this file is used by many tools (such as
    ls'') to display file ownerships, etc. by
    matching user id 's with the user's names, the
    file needs to be world-readable.This can be
    somewhat of a security risk.
  • While some other Linux distributions forces you
    to install the Shadow Password Suite in order to
    use the shadow format, Red Hat makes it simple.
    To switch between the two formats, type (as
    root).

3
Password Protection
  • For security purposes, the Red Hat Linux
    installation program defaults to using the
    Message-Digest Algorithm (MD5) and shadow
    passwords. It is highly recommended that you do
    not alter these settings.
  • If MD5 passwords during installation, the old
    DES (Data Encryption Standard) format is used.
    This allows alphanumeric of up to eight bits and
    is only 56 bit in encryption level.

4
Password Shadowing
  • As with the traditional method, this method
    stores account information in the /etc/passwd
    file in a compatible format. However, the
    password is stored as a single "x" character (ie.
    not actually stored in this file). A second file,
    called /etc/shadow'', contains encrypted
    password as well as other information such as
    account or password expiration values, etc. The
    /etc/shadow file is readable only by the root
    account and is therefore less of a security risk.
  • Shadow commands
  • /usr/sbin/pwconv To convert to the shadow
    format.
  • /usr/sbin/pwunconv To convert back to the
    traditional format.
  • With shadow passwords, the /etc/passwd'' file
    contains account information, and looks like
    this
  • smithjx561561Joe Smith/home/smithj/bin/bash

5
Password Hashing Contd
  • If password shadowing is deselected then
    passwords are stored in the /etc/passwd folder as
    one ways hash world readable file. This leaves
    the machine vulnerable to attacks if someone is
    able to physically gain access and use one
    numerous password crackers.

6
Choosing Passwords DONTS!
  • Do Not Use Only Words or Numbers
  • Do Not Use Recognizable Words
  • Do Not Use Words in Foreign Languages
  • Do Not Use Hacker Terminology
  • Do Not Use Personal Information
  • Do Not Invert Recognizable Words
  • Do Not Write Down Your Password
  • Do Not Use the Same Password For All Machines

7
Choosing Passwords DOS!
  • Make the Password At Least Eight Characters Long
  • Mix Upper and Lower Case Letters
  • Mix Letters and Numbers
  • Include Non-Alphanumeric Characters
  • Pick a Password You Can Remember
  • Examples of strong passwords
  • Turn left on monroe right on tenesseee, speed
    limit 35.
  • Password TloMroTsl35
  • I want an A on Calculus 2 in the Fall, 90.
  • Password IwaAoC2itF90

8
Salting (cryptography)
  • In cryptography, a salt comprises random bits
    that are used as one of the inputs to a key
    derivation function. The salt is usually followed
    by a password or a paraphrase.
  • Salt Data is used to complicate dictionary
    attacks which use preencryption dictionaries to
    crack passwords.
  • This protection works best when the salt data is
    kept secret and in a separate folder just incase
    the Database (SAM file) is stolen.
  • Early Unix systems used a 12-bit salt, but
    modern implementations use larger values.
  • Salt is closely related to the concept of nonce.
  • Cryptographic protocols that use salts include
    SSL and Ciphersaber.

9
Salting Contd
  • Salting makes a dictionary attack impractical,
    especially when the salt being used is very
    large. Making it hard for the hacker to create a
    rainbow table consisting of (salt password)
    because of space and time inefficiencies.
  • Example
  • Assume a users (encrypted) secret key is stolen
    and he is known to use one of 200,000 English
    words as his password. The system uses a 32-bit
    salt. The salted key is now the original password
    appended to this random 32-bit salt. Because of
    this salt, the attackers pre-calculated hashes
    are of no value. He must calculate the hash of
    each word with each of 232 (4,294,967,296)
    possible salts appended until a match is found.
  • To complete this brute force attack the attacker
    must now compute 800 trillion hashes, instead of
    only 200,000.

10
References
  • Linux Password Shadow File Formats
  • http//tldp.org/LDP/lame/LAME/linux-admin-made-eas
    y/shadow-file-formats.html
  • Front page image
  • http//www.file-extensions.org/imgs/company-logo/8
    91/linux-online-inc.jpg
  • Password Security
  • http//www.redhat.com/docs/manuals/linux/RHL-8.0-M
    anual/security-guide/s1-wstation-pass.html
  • Salt (cryptography)
  • http//en.wikipedia.org/wiki/Salting_(cryptography
    )
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "How Linux Stores Passwords" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!