Loading ...Howto: Protect account against a password cracking attack
Usually most Linux and UNIX system use a password for authentication purpose i.e. to verify your identity.
If your password is obtained using cracking attack, your data, computer, and network comes under attack. Therefore, you must protect your self from a password cracking attack.
=> Use shadow and Message-Digest Algorithm (MD5) passwords.
=> Make sure root user only owns your /etc/shadow file (you can write protect this file with chattr command)
=> Use a strong password. Attacker will try both ssh or ftp login using brute-force technique. Try to avoid following type of password:
- Numeric or words only password (e.g. 123456 or abc)
- Do not use your own name or pet name or recognizable words from dictionary
- Avoid using personal information such as birth date or pin/zip number
- Do not write down password
- Do not use same password for all servers
=> A good password includes
- At least 15 characters long
- Mixture of alphabets, number, special character and upper and lower alphabets
- Most important pick a password you can remember.
Fortunately, Linux and UNIX allow you to setup tight password policies:
- Use specialize tools to check password weakness
- Enforce password aging
- Enforce strong password combination
- Disable user account if failed login attempt detected (for example if login attempt failed 5 times in a row).
Stay tuned, for more information. I will write about how to implement these password policies.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Linux check passwords against a dictionary attack
- Yet Another Reason to Have Offsite Data Backup
- What is the difference between password and passphrase under OpenSSH with DSA / RAS public key authentication?
- FreeBSD: Finding passwordless (no password) account and lock all accounts
- Search for all account without password and lock them
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
hi..
can u reply to my mail how you can decrypt passwords in the /etc/shadow file…..
You cannot decrypt passwords in the /etc/shadow. You can just encrypt password and compare with /etc/shadow version using API
> Do not write down password
I disagree with that. In this day and age there’s almost no way to NOT write down passwords.
I see it this way: when you do write it down (assuming, of course, you store everything in a reasonably secure place…like your wallet) it makes it much easier to choose GOOD passwords, as opposed to lousy one’s just so you can remember them…
Btw., most authentication routines use 128-bit encryption/hashing, incl. Linux passwords (MD5). In order to make your passwords at least as strong as the underlying algorithm you need at least 28 *randomly chosen* characters, if you were only picking from the 26 lower-case english alphabet. Picked from upper and lower-case (52 chars) you’d need 23 randomly chosen characters and if you add the 0-9 numbers into the mix (62 chars), you’d still need at least 22 random characters out of that.
Now you know how weak your password really is compared to the technical implementation of it