Home / ubuntu / Questions / 427770
Accepted
nux
Asked: 2014-03-01 19:06:25 +0800 CST

Can users passwords be cracked from etc/shadow file?

  • 772

My question is if someone hacked privileges on /etc/shadow file , can he crack the passwords of the system users.

If yes , how can i secure more my passwords and how to make it difficult on a cracker to easily crack my users passwords .

Any Suggestion?

user-management

2 Answers

  1. While DES should never be used, MD5 is also weak. Check your /etc/login.defs file for the ENCRYPT_METHOD setting. SHA512 is the strongest possible option as far as I know. If your hashes in /etc/shadow start with "$6$", that's SHA512 which I think is not known to be broken (unlike DES and MD5). Of course, strong password hashes do not mean that simple passwords cannot still be easily cracked - they can.

    • 7
  2. Best Answer

    After research , i can answer this questions :

    Can passwords be cracked : Yes

    How : by using crack software like : John the Ripper security software which is open source and can be installed easily.

    What should be the level of cracker : Newbie , because this software is pretty good and there are plenty of instructions on the net how to use it .

    Here is How easy to use it to crack passwords! Link

    What should i do to be more secure ?

    1) Make sure you use SHA512 on your passwords instead of DES and md5 !
2) Use a password cracker  to filter out weak passwords .
3) Use different passwords on different systems.
4) force users to change their passwords - the root password should be changed even more frequently!
5) Your passwords should be:
At least 8 characters long.
Have at least one number.
Have at least one non-alphanumeric character.
Not consist of a dictionary word.
Have both upper and lower case letters.

    References : dankalia

    • 5