Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Choosing Secure Passwords Print E-mail
User Rating:      How can I rate this item?
Source: Benjamin D. Thomas - Posted by Benjamin D. Thomas   
Learn tips and tricks Having a secure password is often the first line of defense against security breaches.

One of the most important security features used today are passwords. It is important for both you and all your users to have secure, unguessable passwords. Most of the more recent Linux distributions include password programs that do not allow you to set a easily guessable password. Make sure your passwd program is up to date and has these features.

Password security is the most critical means to protect your system from compromise. Without an effective well-chosen password, your system is sure to be compromised. It is the most basic means of authentication.

Password security involves both choosing good passwords, and enforcing this on the users of the system. Knowing a password and having physical access to a terminal are all that an unauthorized user needs to gain access to a system.

Once a user has gained access to the system, she can steal data or corrupt the system in obvious as well as subtle ways. If your account is compromised as a result of choosing a poor password, you may ultimately be responsible. It is your responsibility to ensure that your account is not compromised.

Conventional Linux distributions have used a one-way encryption algorithm, called DES (Data Encryption Standard) to encrypt passwords. More recently, a stronger method using the MD5 function is being used. This produces a 128-bit integrity fingerprint and allows for longer passwords, and are more difficult to crack.

How is my password stored?

This encrypted password is stored in /etc/passwd or /etc/shadow if you have "shadow passwords" enabled. A conventional password from /etc/shadow might look like this:


The actual password that the user typed is not stored anywhere on the system. Instead, a value that is generated by using the password to encrypt a block of zero with a one-way function called crypt() is used. When you attempt to authenticate yourself to the system using the same password that was supplied to set the password, the system runs it through the crypt() algorithm again, and compares it to the stored value. If the encrypted results match, you are authenticated. An MD5-equipped password would look similar to this:


Shadow passwords are a means of keeping your encrypted password information secret from normal users. Normally this encrypted password is stored in your /etc/passwd file for all to read. They can then run password guesser programs on it and attempt to determine what it is. Shadow passwords save this information to a /etc/shadow file that only privileged users can read. All current distributions surely are configured by default for shadow passwords.

When you attempt to login, whatever you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Although DES is a two-way encryption algorithm (you can code and then decode a message, given the right keys), the variant that most unicies use is one-way. This means that it should not be possible to reverse the encryption to get the password from the contents of /etc/passwd or /etc/shadow.

Any entry in the password file with a user-ID of "0" (zero) is a root entry, regardless of what it's called.

Choose effective passwords

There is a great deal of information available on the Internet regarding choosing good passwords. A password minimum of 6 characters should be enforced, and 8 characters provides a significant improvement in security. You can find more information on improving password security in the postscript document titled Foiling the Cracker: Survey of, and Improvements, to Password Security and demonstrates the ease with which most passwords can be guessed by a motivated attacker.

Brute force attack tools, such as John the Ripper, can often guess passwords unless your password is sufficiently random. PAM modules allow you to use a different encryption routine with your passwords (MD5 or the like) making it more difficult to crack.

Protect your password by following these guidelines:

  • Never share your password.
  • When you tell someone your password and let them log in to your account, the system loses its ability to hold individual users accountable for their own actions.
  • Do not write down your password.
  • Many system penetrations occur simply because a user wrote his or her password on a terminal. If a password must be recorded, keep it under lock and key.
  • Never use an old password again.
  • This increases the probability that someone can guess the password.
  • Never type a password while someone is watching.
  • It is possible to steal a password simply by watching someone type it. Be especially careful if you are using a workstation in a public area.
  • If you are allowed to choose your own password, choose your password wisely. Select passwords that are hard to guess.
  • Never use an ordinary word or a proper name, your spouse's, child's, or pet's name, your birthday, your address, or a machine name, even if these words are specified backward, permuted in some other way, or have a number added to the front or back.
  • Always choose a password that contains some numbers or special characters. Always select different passwords for different machines, but never use the name of the machine, even permuted.

Although these procedures add a small amount of effort to your login, they help to avoid system compromise.


Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.