Having a secure password is often the first line of defense against security breaches.

One of the most important security features used today are passwords. It is important for both you and all your users to have secure, unguessable passwords. Most of the more recent Linux distributions include password programs that do not allow you to set a easily guessable password. Make sure your passwd program is up to date and has these features.

Password security is the most critical means to protect your system from compromise. Without an effective well-chosen password, your system is sure to be compromised. It is the most basic means of authentication.

Password security involves both choosing good passwords, and enforcing this on the users of the system. Knowing a password and having physical access to a terminal are all that an unauthorized user needs to gain access to a system.

Once a user has gained access to the system, she can steal data or corrupt the system in obvious as well as subtle ways. If your account is compromised as a result of choosing a poor password, you may ultimately be responsible. It is your responsibility to ensure that your account is not compromised.

Conventional Linux distributions have used a one-way encryption algorithm, called DES (Data Encryption Standard) to encrypt passwords. More recently, a stronger method using the MD5 function is being used. This produces a 128-bit integrity fingerprint and allows for longer passwords, and are more difficult to crack.

How is my password stored?

This encrypted password is stored in /etc/passwd or /etc/shadow if you have "shadow passwords" enabled. A conventional password from /etc/shadow might look like this: 

  fred:m2nv/1iKlc1:11080:0:99999:7:-1:-1:134537628

The actual password that the user typed is not stored anywhere on the system. Instead, a value that is generated by using the password to encrypt a block of zero with a one-way function called crypt() is used. When you attempt to authenticate yourself to the system using the same password that was supplied to set the password, the system runs it through the crypt() algorithm again, and compares it to the stored value. If the encrypted results match, you are authenticated. An MD5-equipped password would look similar to this: 

  fred:$1$NCz74a5c$s/CbS1cqse2C1nV/1IKjc1:11080:0:99999:7:-1:-1:134537628

Shadow passwords are a means of keeping your encrypted password information secret from normal users. Normally this encrypted password is stored in your /etc/passwd file for all to read. They can then run password guesser programs on it and attempt to determine what it is. Shadow passwords save this information to a /etc/shadow file that only privileged users can read. All current distributions surely are configured by default for shadow passwords.

When you attempt to login, whatever you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Although DES is a two-way encryption algorithm (you can code and then decode a message, given the right keys), the variant that most unicies use is one-way. This means that it should not be possible to reverse the encryption to get the password from the contents of /etc/passwd or /etc/shadow.

Any entry in the password file with a user-ID of "0" (zero) is a root entry, regardless of what it's called.

Choose effective passwords

There is a great deal of information available on the Internet regarding choosing good passwords. A password minimum of 6 characters should be enforced, and 8 characters provides a significant improvement in security. You can find more information on improving password security in the postscript document titled Foiling the Cracker: Survey of, and Improvements, to Password Security and demonstrates the ease with which most passwords can be guessed by a motivated attacker.

Brute force attack tools, such as John the Ripper, can often guess passwords unless your password is sufficiently random. PAM modules allow you to use a different encryption routine with your passwords (MD5 or the like) making it more difficult to crack.

Protect your password by following these guidelines:

  • Never share your password.
  • When you tell someone your password and let them log in to your account, the system loses its ability to hold individual users accountable for their own actions.
  • Do not write down your password.
  • Many system penetrations occur simply because a user wrote his or her password on a terminal. If a password must be recorded, keep it under lock and key.
  • Never use an old password again.
  • This increases the probability that someone can guess the password.
  • Never type a password while someone is watching.
  • It is possible to steal a password simply by watching someone type it. Be especially careful if you are using a workstation in a public area.
  • If you are allowed to choose your own password, choose your password wisely. Select passwords that are hard to guess.
  • Never use an ordinary word or a proper name, your spouse's, child's, or pet's name, your birthday, your address, or a machine name, even if these words are specified backward, permuted in some other way, or have a number added to the front or back.
  • Always choose a password that contains some numbers or special characters. Always select different passwords for different machines, but never use the name of the machine, even permuted.

Although these procedures add a small amount of effort to your login, they help to avoid system compromise.

Resources:

  • Department of Defense Password Management Guideline -- Enumerates a number of good password management practices.
  • Selecting Good Passwords -- Quick list of things to keep in mind when choosing a password and should be consulted when developing your security policy.
  • Standard for Automated Password Generator -- Federal Information Processing Standard No. 181.
  • Foiling the Cracker: A Survey of, and Improvements to, Password Security -- Demonstrates the ease with which most passwords can be guessed by a motivated attacker.
  • Observing Reusable Password Choices -- A method for observing password choices made by users, and how to protect it from being compromised.
  • OPUS: Preventing Weak Password Choices -- A system that uses Bloom filters to implement a constant-time dictionary lookup, regardless of dictionary size, to check a user's password choice for " goodness"
  • User Authentication and Related Topics: An Annotated Bibliography
  • Password Security: A Case History -- A description of the original UNIX password algorithm, and the reasons for replacing it with the current one.
  • UNIX Password Security - Ten Years Later -- A reexamination of the UNIX password algorithm after ten years of advances in software and hardware.
  • The S/Key One-Time Password System -- A freely available implementation of one-time passwords.