Security implications of chpasswd.
For some very good reasons I had to do a mass change of passwords
on one of our exposed login machines (no breach/hack, different
reason).
There is a utility included in Debian Stable (and the others) to do
this called chpasswd.
I believe there may be some security issues with this utility:
1) This utility does DES passwords instead of MD5, even tho' the
rest of the system does/understands MD5.
2) when doing a mass password change, the first 2 characters are the
same for every password. This could be an "information leak"
indicating mass-password changes, and displaying *which passwords
are still at the set default*. For a better example of what I mean,
consider this case:
A college campus creates 2k accounts and passwords at once. JR
hacker gains access a week later through his account w/out changing
the password, then somehow gets ahold of the shadow file. In it he
can determine (with some margin of error) which accounts have or
haven't been changed. Since many universities use some stupid
pattern for their passwords, or hand out cards with the account
passwords on them (later found in the trash), he now has a pool of
accounts to attack.
3) chpasswd provides no facility to use MD5 rather than (I suspect)
DES. DES is unacceptable these days.
Also, where is the source for this utility, and the passwd utility?
I can't seem to find it in my local mirror.
--
Share and Enjoy.
Reply to: