Re: Passwords
pass phrase length and complexity. At least 16 characters; Starts and
ends with a letter, has two symbols, two numbers two upper-case two
lower-case. Nothing found in dictionaries in pass phrase no keyboard
walking, no recognizeable keyboard patterns may work for a few seconds.
Jude <jdashiel at panix dot com> "There are four boxes to be used in
defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
.
On Tue, 17 Jan 2023, davenull@tuxfamily.org wrote:
> Hello
>
> On 2023-01-17 09:51, DdB wrote:
> > Am 17.01.2023 um 07:14 schrieb Stanislav Vlasov:
> >> ??, 17 ???. 2023 ?. ? 11:01, David <david.g_jones@ntlworld.com>:
> >>> Looking on the internet it says the passwords are stored in /etc/passwd
> >>> and /etc/shadow
> >>
> >> In /etc/shadow only password's hashes, some data, one-way calculated
> >> from password string.
> >>
> >>> The password string in /etc/shadow looks as if it's encoded, how can I
> >>> read this string?
> >>
> >> You can't.
> > Everyone (and their friend) seem to know, how to work around this, which
> > apparently is common debian knowledge (which is nice).
> >
> > But somehow, i feel there could be more caring about avoiding to teach
> > future hackers by accident. Is this kind of lesson appropriate for a
> > users list? - I doubt it.
> >
> > just my 2 cents
> > DdB
>
>
> It's not hacking. It's typical administration system stuff. A required
> knowledge so you don't end up locked out of your own system in non-encypted
> installation. It requires physical access to the computer, so applicable from
> distance as you need to either
> - remove then mount the hard drive on another machine.
> - boot from a live USB.
> - boot into GRUB's rescue-shell.
>
> But if you're worried about physical access to your computer (as a laptop than
> can be easily stolen, or left in hotel room, or whatever), an account password
> isn't going to protect your data or from someone alter your password /install
> fishy stuff?
>
> In such case, you need to protect your system by encrypt it. And not just
> encrypt /home as the files you need to protect in order to protect the system
> from password tampering are NOT in /home. Debian installer has an option to
> encrypt the system quite easily, you just need time for the initial
> installation is it spends an good amount of writing random data (m?re or less
> acceptable duration depending on your disk speed and CPU performance). And
> re-ecrypt it when needed/when algorithmes get broken and new better ones
> become the new recommended standard/if your decryption passphrase is known by
> someone else/whatever.
>
> But it only makes sense of your decryption key has a long complex passphase.
> An easily brute-forceable or guessable password for disk encryption defeats
> the very own purpose of disk encryption. It basically means if you forget the
> passphrase, you're pretty much screwed until you either remembrer it, or
> reinstall and reconfigure everything. so you need to have backup [1] in secure
> place.
>
> ---
> 1. But again, backups are required anyway, encrypted installs or not. Storage
> support do fail and/or get stolen. Never trust a single storage device. Or a
> "cloud" backup bullshit. Cloud being nothing else than someone's else computer
> who can do whatever they want on it, kick users whenever they please or abuse
> personal data for profit if they want to (whether they do it in a "legal" or
> semi-legal way or not doesn't matter. As they have the technical means to do
> so and users have no means to check what's going on [2]. Including when data
> is "encrypted" IF encryption and decryption happens on their systems).
> 2. It's already hard enough to know what's going on on one's own computer, let
> alone distant systems managed by someone else?
>
>
>
Reply to: