Passwords are the primary way Red Hat Linux verifies that the user logging into the system is who he claims to be. This is why password security is enormously important for protection of the user, the workstation, and the network.
For security purposes, the Red Hat Linux installation program defaults to using the Message-Digest Algorithm (MD5) and shadow passwords. It is highly recommended that you do not alter these settings.
If you deselect MD5 passwords during installation, the older Data Encryption Standard (DES) format is used. This format limits passwords to eight alphanumeric character passwords (disallowing punctuation and other special characters) and provides a modest 56-bit level of encryption.
If you deselect shadow passwords, all user passwords will be stored as a one-way hash in the world-readable file /etc/passwd. This opens up your system to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, he can view the /etc/passwd file and run any number of password cracking programs against it on his own machine. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
Shadow passwords eliminate this type of attack by storing the password hashes in the file /etc/shadow which is readable only by the root user.
This forces a potential attacker to attempt password cracking remotely by logging into a network service on the machine, such as SSH or FTP. This sort of brute-force attack is much slower and leaves an obvious trail as hundreds of failed login attempts will appear in the log files. Of course, if the cracker starts an attack in the middle of the night and you have weak passwords, he may have gained access before dawn.
Beyond matters of format and storage is the issue of content. The single most important thing a user can do to protect his account is create a strong password, which make it less susceptible to a password cracking attack.
No comments:
Post a Comment