Hello On 2023-01-17 09:51, DdB wrote:
Am 17.01.2023 um 07:14 schrieb Stanislav Vlasov:Everyone (and their friend) seem to know, how to work around this, whichвт, 17 янв. 2023 г. в 11:01, David <david.g_jones@ntlworld.com>:Looking on the internet it says the passwords are stored in /etc/passwdand /etc/shadowIn /etc/shadow only password's hashes, some data, one-way calculated from password string.The password string in /etc/shadow looks as if it's encoded, how can Iread this string?You can't.apparently is common debian knowledge (which is nice). But somehow, i feel there could be more caring about avoiding to teach future hackers by accident. Is this kind of lesson appropriate for a users list? - I doubt it. just my 2 cents DdB
It's not hacking. It's typical administration system stuff. A required knowledge so you don't end up locked out of your own system in non-encypted installation. It requires physical access to the computer, so applicable from distance as you need to either
- remove then mount the hard drive on another machine. - boot from a live USB. - boot into GRUB's rescue-shell.But if you're worried about physical access to your computer (as a laptop than can be easily stolen, or left in hotel room, or whatever), an account password isn't going to protect your data or from someone alter your password /install fishy stuff…
In such case, you need to protect your system by encrypt it. And not just encrypt /home as the files you need to protect in order to protect the system from password tampering are NOT in /home. Debian installer has an option to encrypt the system quite easily, you just need time for the initial installation is it spends an good amount of writing random data (mère or less acceptable duration depending on your disk speed and CPU performance). And re-ecrypt it when needed/when algorithmes get broken and new better ones become the new recommended standard/if your decryption passphrase is known by someone else/whatever.
But it only makes sense of your decryption key has a long complex passphase. An easily brute-forceable or guessable password for disk encryption defeats the very own purpose of disk encryption. It basically means if you forget the passphrase, you're pretty much screwed until you either remembrer it, or reinstall and reconfigure everything. so you need to have backup [1] in secure place.
---1. But again, backups are required anyway, encrypted installs or not. Storage support do fail and/or get stolen. Never trust a single storage device. Or a "cloud" backup bullshit. Cloud being nothing else than someone's else computer who can do whatever they want on it, kick users whenever they please or abuse personal data for profit if they want to (whether they do it in a "legal" or semi-legal way or not doesn't matter. As they have the technical means to do so and users have no means to check what's going on [2]. Including when data is "encrypted" IF encryption and decryption happens on their systems). 2. It's already hard enough to know what's going on on one's own computer, let alone distant systems managed by someone else…