Howto: Protect account against a password cracking attack

by on August 28, 2006 · 4 comments· LAST UPDATED August 28, 2006

in , ,

Usually most Linux and UNIX system use a password for authentication purpose i.e. to verify your identity.

If your password is obtained using cracking attack, your data, computer, and network comes under attack. Therefore, you must protect your self from a password cracking attack.

=> Use shadow and Message-Digest Algorithm (MD5) passwords.

=> Make sure root user only owns your /etc/shadow file (you can write protect this file with chattr command)

=> Use a strong password. Attacker will try both ssh or ftp login using brute-force technique. Try to avoid following type of password:

  • Numeric or words only password (e.g. 123456 or abc)
  • Do not use your own name or pet name or recognizable words from dictionary
  • Avoid using personal information such as birth date or pin/zip number
  • Do not write down password
  • Do not use same password for all servers

=> A good password includes

  • At least 15 characters long
  • Mixture of alphabets, number, special character and upper and lower alphabets
  • Most important pick a password you can remember.

Fortunately, Linux and UNIX allow you to setup tight password policies:

  • Use specialize tools to check password weakness
  • Enforce password aging
  • Enforce strong password combination
  • Disable user account if failed login attempt detected (for example if login attempt failed 5 times in a row).

Stay tuned, for more information. I will write about how to implement these password policies.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 amnju March 18, 2007 at 6:14 am

hi..
can u reply to my mail how you can decrypt passwords in the /etc/shadow file…..

Reply

2 nixCraft March 19, 2007 at 3:19 pm

You cannot decrypt passwords in the /etc/shadow. You can just encrypt password and compare with /etc/shadow version using API

Reply

3 Harka May 26, 2008 at 12:15 pm

> Do not write down password

I disagree with that. In this day and age there’s almost no way to NOT write down passwords.
I see it this way: when you do write it down (assuming, of course, you store everything in a reasonably secure place…like your wallet) it makes it much easier to choose GOOD passwords, as opposed to lousy one’s just so you can remember them…

Btw., most authentication routines use 128-bit encryption/hashing, incl. Linux passwords (MD5). In order to make your passwords at least as strong as the underlying algorithm you need at least 28 *randomly chosen* characters, if you were only picking from the 26 lower-case english alphabet. Picked from upper and lower-case (52 chars) you’d need 23 randomly chosen characters and if you add the 0-9 numbers into the mix (62 chars), you’d still need at least 22 random characters out of that.
Now you know how weak your password really is compared to the technical implementation of it :-)

Reply

4 READ THIS July 7, 2013 at 2:52 pm

using md5 is as hazardeous as to not use the shadow file since it’s the most popular encrypt method and since there are way to identify collisions and finally reverse tables (rainbow tables) are available for free online. you can find them thanks google !!!!!!.

md5 is just good for files to be check as sum of control for not important files
(ex : check downlads …)

md5 encryption use’s are outdated for more than 10 YEARS
there also exist automatic software to root severs who use md5 hash table (I truly hope it’s not the case for this website) or with a md5 shadow file encryption and you don’t need to be a hacker to use it .

MD5 is as shity as the “devellopers” who recommand it for password encryption .
wake up guys ! you need to get informed on what is at each time possible or not in IT security

otherwise do not even try to make any security choice or you ‘ll be raped by all the dummiest lamerz (shity hackers often of an age inferior to 15) on earth
(be sure that they are numerous !)

you better use sha512 (designed by NSA) and mix uppercase with lowercase,special letters and number and of course choose a 8 long (or more if you can remeber it and keep it only in mind and use it for one device/service at the time)
PS: the security question is useless since its not a captcha
there is algorithms (I can make one) to parse this kind of text and they are quite fast for net bots server devices

Reply

Leave a Comment

Previous post:

Next post: