Miscellaneous > Programming & Networking
Linux Password Files
shuiend:
i was thinking about Linux passwords are encripted then i relized it being open sourche you could see how it is done. i was wondering if it would be possible to write a program that decrypts the passwords since you can see the algorithem to encrypt them. What languge would be the best to do this. i was thinking C or C++. i thik this could be a big security hole and was wondering how hard it would be to accomplish. i was not sure which thing to put this in either Linux or programming. i decided programming because it has to do with writing a program. i am not sure if this is possible so i am open to any ideas or info you have
voidmain:
The fact that Linux is open source has nothing to do with the strength of the encryption. The encryption routines are open source, Windows even uses them. It's the fact that it uses a "key" based encryption that makes the method of encryption worthless knowlege as far as unencrypting the password. The only method for cracking passwords are using the brute force method on both Linux and Windows.
Most password cracking programs take a dictionary of words, encrypt each of those words, and variations of those words (change O's to 0's, S's to 5's etc) and compare the encrypted password with the encrypted dictionary word. If the encrypted passwords match, then they now have your password. That's why it is important to use passwords that are 1) more than 5 characters, 2) not a dictionairy word, or any word period. 3) mixed case and mixed with numbers and special characters.
Obviously given enough computing power you can crack any password by using every combination of characters starting with a 1 character password on up to 8 character passwords (or whatever the maximum password size is for the given operating system).
shuiend:
ok thanks for the knowledge
voidmain:
Oh, and getting the list of encrypted user passwords would be the first challenge. If they can get that, then there probably isn't much need to try and crack any of the user passwords. They likely would already "own" the system.
beltorak0:
to my knowledge;
there is no real way to decrypt the *nix passwords. They are encrypted with a "one way hash" -- a mathematical process in which it is infeasable to unencrypt the data. This means that once a password is accepted, it is lost forever (well, almost). The sysadmin cannot retrive it, but can only [re]set it to a known value. See the book "applied cryptography" for details. also http://www.aspencrypt.com/crypto101_hash.html
There are, however, several programs that supply random passwords to the encryption algorithm and then check the result against the stored value. Use them to check the strength of your passwords. change weak passwords. Change passwords regularly and (fairly) frequently. Use all kinds of letters/numbers/punctuation/etc in the password; birthday attacks (the password is something personal about the person, like wife's name, soc. sec. number, birthday, etc) and dictionary attacks (the password is a word and appears in a standard dictionary) are the easiest to crack and the programs (usually) check these first. "rover" would be one of the first things a cracker would use as your password (especially if he/she know you have a dog named rover) and should be avoided. FuckBillGates would be slighty harder, but essentially falls to a variation of the dictionary attack. Try something along the lines of
--- Code: ---
--- End code ---
since it is essentially random to begin with. For the ultra paranoid, use a 256 bit random key; for a computer running at the background radiation temperature of the universe (~3.5 K) to cycle through all values of a 256 bit counter, it would consume more energy than the sun puts out in 32 years -- and this doesn't take into account the energy necessary for computation.... (applied cryptography).
incedentally, PGP uses 1024 bit keys as default (i f i remember correctly).
-t.
Navigation
[0] Message Index
[#] Next page
Go to full version