[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password decrypting ? Sendmail problems ?



On Fri, Aug 25, 2000 at 07:46:21PM +0800, Oliver Schoenknecht wrote:
> Hello everyone,
> 
> first of all I need to tell you that I have some kind of bet running -
> a friend of mine has put up a SuSE 6.3 linux-proxy and mail server and
> claims it to be safe although you can reach it via telnet and ftp from
> outside... Recently he dared me to try to crack his password file so
> that he may think about new ways of protecting his system... After
> some search I got his password file which you see below 

Don't do that.

Yes, there are programs which will attempt to crack passwords, generally
by brute force.  The usual is "John the Ripper", though others exist.

There are a couple of changes to the traditional Unix password scheme in
recent years, notably shadow passwords, in which passwords are kept in a
seperate file, not readable by unprivileged users, and long passwords,
which allow passwords (or phrases) of more than 8 characters (current
recommendation is 12 to 20 character), using MD5 hashing.  Dedicated
hardware can crack 8 byte passwords in a matter of minutes or seconds.

Query:  How do you implement MD5 and long passwords on Debian?  Is it
more than just modifying /etc/pam.d/passwd?



You'll note I mentioned shadow passwords.  You've just posted a passwd
file on the Internet.  If your friend's system can be identified, it's
highly probable that security can be compromised readily.  

The system should be considered insecure.  

You should inform him of this situation, have him change the system
passwords, apply shadow passwords, and MD5 password hashing with long
password lengths.

-- 
Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Opensales, Inc.                    http://www.opensales.org
  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0

Attachment: pgpga60VPLoY_.pgp
Description: PGP signature


Reply to: