Schöön Martin wrote:

> I have a question regarding password safety and encrypting in unix
> and unix-like systems.
>
> Today I heard a story about a guy who had broken into the computer
> systems of a large corporation. The story teller claimed this guy
> had managed to download, among other things, complete lists of all
> unix accounts and the corresponding passwords.
>
> I have been a unix user since the 1980s and I have been told by
> various support persons that in unix the passwords are encrypted
> and if I forget mine I have to get a new, temporary one from my
> administrator because there is no way to look up and decrypt my
> password.
>
> What is the truth on this matter?
>

The honeypot project people set up some systems to see how
they got broken into. Linux systems usually fell to brute
dictionary attacks. The second most successful attack was
unpatched and vulnerable software. Decrypting a password
is hard, but that is not how systems get broken into.

Systems that have people using passwords that can be guessed
and do not have something set up to halt such dictionary attacks
will get cracked. Same thing with ssh passwords. Another
favorite cracker point of entry.

Once a cracker gains root, adding cracks that go around
all security is usually a snap. They can add backdoors
that don't even involve usual passwords.

Sniffers get you the passwords you need then.
The cracker logs on through his backdoor and downloads
sniffed logins and passwords.

They don't even try cracking encrypted password files.



--
"If lightning is the anger of the gods, the
gods are concerned mostly with trees."
- Lao Tse

Cheerful Charlie