[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security implications of chpasswd.

    For some very good reasons I had to do a mass change of passwords
    on one of our exposed login machines (no breach/hack, different

    There is a utility included in Debian Stable (and the others) to do
    this called chpasswd. 

    I believe there may be some security issues with this utility:

    1) This utility does DES passwords instead of MD5, even tho' the
    rest of the system does/understands MD5. 

    2) when doing a mass password change, the first 2 characters are the
    same for every password. This could be an "information leak"
    indicating mass-password changes, and displaying *which passwords
    are still at the set default*. For a better example of what I mean,
    consider this case:

    A college campus creates 2k accounts and passwords at once. JR
    hacker gains access a week later through his account w/out changing
    the password, then somehow gets ahold of the shadow file. In it he
    can determine (with some margin of error) which accounts have or
    haven't been changed. Since many universities use some stupid
    pattern for their passwords, or hand out cards with the account
    passwords on them (later found in the trash), he now has a pool of
    accounts to attack. 

    3) chpasswd provides no facility to use MD5 rather than (I suspect)
    DES. DES is unacceptable these days. 

    Also, where is the source for this utility, and the passwd utility?
    I can't seem to find it in my local mirror. 

Share and Enjoy. 

Reply to: