Cracking Passwords

One of the most common ways to get privileges is to crack the password file. Password cracking is the process of determining the authentication information from using the cipher that is used to verify the password to guess or crack the password. On UNIX systems, passwords are not actually cracked; the passwords are guessed. Standard UNIX passwords are up to eight characters long. Many systems require a minimum of six characters and the inclusion of a numeral or special character. However, the superuser can override these minimums. Often when accounts are created, the superuser will create them with a simple password or no password at all.

No account should be allowed without passwords. As a system manager, you should set the user's initial password, using a good password as an example to the users. You should not e-mail the new password to the user . Many hackers scan mail looking for keywords like password or secret.

Generally , getting access to passwords is very simple for the hacker. The password file is readable to all users, so the hacker can easily copy it to his system to crack. The only way to secure the password file is to use shadow passwords.

Changing the Algorithm

Password cracking requires knowing both the cryptographic algorithm and the resultant cypher in order to be able to compare the result of using a guessed password to the actual cypher. Changing the algorithm can diminish the ability of the hacker to crack the password.

Altering the crypt library routine on UNIX systems will change how the password is calculated. This will give you a password file that is nonstandard, causing password guessing to fail. This, of course, requires that you have the source code to your operating system. The simplest change is to alter the number of times which the cryptographic routine is run against the cipher. Altering the cyrpt routine will not only make password cracking ineffective on other machines, it will also make the password field of no use to other machines which do not have the same alterations. So, to support an enterprise-wide identification environment, all the systems must be identically modified. If you plan to use NIS to share passwords, you will have to do the same modification on all the systems that are involved. The cracking routines can still be run on a system which has been modified to crack the passwords, since the cracking tool will call the modified crypt function.

Red Hat Linux allows the use of the MD5 algorithm to encrypt passwords. This algorithm allows a long password to be used (up to 256 characters), instead of the standard eight letters or less and is much more difficult to crack.

Slackware Linux systems are easy to enable MD5 by editing the /etc/login.defs file so that MD5_CRYPT_ENAB line says yes instead of no.

Shadow Passwords

Shadow passwords remove the encrypted password field from the public password file and put it into a file that is accessible only to root. The location of the secure password file will vary depending on implementation. This deters cracking methods , because the encrypted password is not available to ordinary users. Some implementations will allow access to the encrypted password via the getpwent or the getspwent subroutine. You need to validate that this program will return only encrypted passwords if it is run by the superuser. If either of these subroutines will return the encrypted password to nonsuperusers, then your shadow password system is not offering you the protection it should and you need to petition your vendor to fix this security problem.

HP-UX implements shadowed passwords as part of its trusted system base. The /etc/lbin/tsconvert command is used to convert the HP-UX system to a trusted system. The shadow passwords are stored in user directories within the /tcb/files/auth directory structure by username. Trusted HP-UX does not support NIS, but it will support NIS+ with some limited functionality.

Shadow passwords are available in HP-UX 11.22 without requiring trusted systems. The 11.22 HP-UX release of Shadow Passwords is based on the defacto standard provided in Sun Solaris, Linux, and other UNIX flavors. The pwconv command can be run to move encrypted passwords from the publicly readable /etc/passwd file to /etc/shadow , and replace the password fields in /etc/passwd with 'x'. Afterwards, pwunconv can be run to convert back to a standard system. In 11.22 shadow passwords are not supported with NIS, NIS+ nor LDAP.

Current versions of the standard PAM for Linux supports shadow passwords without modification. Early versions require selecting a specific PAM module for shadow support, generally unix+shadow.