Password Security

1
Lesson 10

• Password Security

2
Objectives

• How passwords are hashed in the UNIX passwd file.
• Password security vulnerabilities.
• Methods used to crack the passwd file.
• Methods used to sniff passwords over the network.

3
Hashing Passwords

• Passwords are hashed using a one-way hashing
  function, such as crypt().
• The password is encrypted using a salt to add
  complexity, and the salt is prepended to the
  hashed password.
• The hashed password is stored in the /etc/passwd
  file.

4
Password Vulnerabilities

• Reusable passwords are a significant security
  vulnerability.
• If an intruder acquires a users password, the
  intruder can masquerade as the legitimate user.
• Passwords may be guessed or sniffed over the
  network.

5
Password Cracking

• If the passwd file is readable the passwords may
  be cracked.
• Cracking tools make a guess for a given password,
  then hash the guessed password using the crypt()
  function and the same salt as the stored
  password.
• If the hashed output matches the stored hashed
  password, the password is cracked!

6
Password Sniffing

• Ethernet sniffers configure the network interface
  to run in promiscuous mode.
• When run by root, sniffers can capture all
  network traffic including the data.
• Programs such as Telnet and FTP perform
  authentication in clear text, so account and
  password information may be sniffed.

7
Questions (T/F)

• 1. Passwords are hashed using crypt()?
• 2. Reusable passwords are not a security
  vulnerability?
• 3. Password cracking programs decrypt the hashed
  password from the password file?
• 4. Telnet sends passwords in clear text?
• 5. Ethernet sniffers crack the stored passwords?

8
Answers

• 1. True
• 2. False
• 3. False
• 4. True
• 5. False