Howto: Protect account against a password cracking attack

Usually most Linux and UNIX system use a password for authentication purpose i.e. to verify your identity.

If your password is obtained using cracking attack, your data, computer, and network comes under attack. Therefore, you must protect your self from a password cracking attack.

=> Use shadow and Message-Digest Algorithm (MD5) passwords.

=> Make sure root user only owns your /etc/shadow file (you can write protect this file with chattr command)

=> Use a strong password. Attacker will try both ssh or ftp login using brute-force technique. Try to avoid following type of password:

  • Numeric or words only password (e.g. 123456 or abc)
  • Do not use your own name or pet name or recognizable words from dictionary
  • Avoid using personal information such as birth date or pin/zip number
  • Do not write down password
  • Do not use same password for all servers

=> A good password includes

  • At least 15 characters long
  • Mixture of alphabets, number, special character and upper and lower alphabets
  • Most important pick a password you can remember.

Fortunately, Linux and UNIX allow you to setup tight password policies:

  • Use specialize tools to check password weakness
  • Enforce password aging
  • Enforce strong password combination
  • Disable user account if failed login attempt detected (for example if login attempt failed 5 times in a row).

Stay tuned, for more information. I will write about how to implement these password policies.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • amnju Mar 18, 2007 @ 6:14

    can u reply to my mail how you can decrypt passwords in the /etc/shadow file…..

  • 🐧 nixCraft Mar 19, 2007 @ 15:19

    You cannot decrypt passwords in the /etc/shadow. You can just encrypt password and compare with /etc/shadow version using API

  • Harka May 26, 2008 @ 12:15

    > Do not write down password

    I disagree with that. In this day and age there’s almost no way to NOT write down passwords.
    I see it this way: when you do write it down (assuming, of course, you store everything in a reasonably secure place…like your wallet) it makes it much easier to choose GOOD passwords, as opposed to lousy one’s just so you can remember them…

    Btw., most authentication routines use 128-bit encryption/hashing, incl. Linux passwords (MD5). In order to make your passwords at least as strong as the underlying algorithm you need at least 28 *randomly chosen* characters, if you were only picking from the 26 lower-case english alphabet. Picked from upper and lower-case (52 chars) you’d need 23 randomly chosen characters and if you add the 0-9 numbers into the mix (62 chars), you’d still need at least 22 random characters out of that.
    Now you know how weak your password really is compared to the technical implementation of it 🙂

  • READ THIS Jul 7, 2013 @ 14:52

    using md5 is as hazardeous as to not use the shadow file since it’s the most popular encrypt method and since there are way to identify collisions and finally reverse tables (rainbow tables) are available for free online. you can find them thanks google !!!!!!.

    md5 is just good for files to be check as sum of control for not important files
    (ex : check downlads …)

    md5 encryption use’s are outdated for more than 10 YEARS
    there also exist automatic software to root severs who use md5 hash table (I truly hope it’s not the case for this website) or with a md5 shadow file encryption and you don’t need to be a hacker to use it .

    MD5 is as shity as the “devellopers” who recommand it for password encryption .
    wake up guys ! you need to get informed on what is at each time possible or not in IT security

    otherwise do not even try to make any security choice or you ‘ll be raped by all the dummiest lamerz (shity hackers often of an age inferior to 15) on earth
    (be sure that they are numerous !)

    you better use sha512 (designed by NSA) and mix uppercase with lowercase,special letters and number and of course choose a 8 long (or more if you can remeber it and keep it only in mind and use it for one device/service at the time)
    PS: the security question is useless since its not a captcha
    there is algorithms (I can make one) to parse this kind of text and they are quite fast for net bots server devices

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum