On Wed, 16 Nov 2005 13:12:21 +0100, Schöön Martin wrote:

> I have a question regarding password safety and encrypting in unix and
> unix-like systems.
>
> Today I heard a story about a guy who had broken into the computer
> systems of a large corporation. The story teller claimed this guy had
> managed to download, among other things, complete lists of all
> unix accounts and the corresponding passwords.
>
> I have been a unix user since the 1980s and I have been told by
> various support persons that in unix the passwords are encrypted
> and if I forget mine I have to get a new, temporary one from my
> administrator because there is no way to look up and decrypt my
> password.
>
> What is the truth on this matter?

Passwords on linux are saved in a hashed form. You can think of that as a
lossy encryption if you like. There is no unique way back from the hash to
the password.

However, if someone has a copy of all the passwords for a machine, they
can attempt at their leisure to crack them using brute force. That means
trying lots of possible passwords out to see if they generate a match to
the hashes in the list. There are several programs out there that do this
for you, e.g. Jack-the-ripper. The most common passwords are all likely to
crackable this way, given enough time.

HTH

Simon Bone