password cracking question

ok i am seeking to harden my system (and my brother's who is a linux
newbie), so I got John the Rippper (password cracker) and am learning to
use it to test my own system's passwords for strength. But the program
requires that I have a copy of /etc/shadow (shadowed passwords); well it
seems to me that in order to have that file one must have already cracked
some password to enter a PC system, so what is the point of Ripper other
than testing passwords? I mean, how does a cracker get into a system in
the first place using a password cracker since it seems to be a Catch22?
Mind you, I am no cracker, I just want to learn to harden my system, learn
to prevent crackers from getting in.

Proteus <nospam@nowhere.net> writes:

>ok i am seeking to harden my system (and my brother's who is a linux
>newbie), so I got John the Rippper (password cracker) and am learning to
>use it to test my own system's passwords for strength. But the program
>requires that I have a copy of /etc/shadow (shadowed passwords); well it
>seems to me that in order to have that file one must have already cracked
>some password to enter a PC system, so what is the point of Ripper other
>than testing passwords? I mean, how does a cracker get into a system in
>the first place using a password cracker since it seems to be a Catch22?
>Mind you, I am no cracker, I just want to learn to harden my system, learn
>to prevent crackers from getting in.

He might have found a backup tape lying around for example. He might have
booted into the machine in single user and gotten the file.
One of the reasons that Linux went over to shadow passwords was that
programs like yours were becoming popular.

Unruh wrote:
...
> He might have found a backup tape lying around for example. He might have
> booted into the machine in single user and gotten the file.
> One of the reasons that Linux went over to shadow passwords was that
> programs like yours were becoming popular.


So for my purposes, the main (good) use of a password cracking program is to
test whether my users' (and mine, ie root) passwords are strong, right?
(that is my intended purpose). And how long do I let the password cracking
program run before I assume my passwords are strong-- I mean one could in
theory let the cracking program run for days or weeks. When is enough
enough, when is a password considered strong enough (and how do I know if a
password I create is strong enough to thwart crackers?)?

Proteus <nospam@nowhere.net> writes:

>Unruh wrote:
>..
>> He might have found a backup tape lying around for example. He might have
>> booted into the machine in single user and gotten the file.
>> One of the reasons that Linux went over to shadow passwords was that
>> programs like yours were becoming popular.


>So for my purposes, the main (good) use of a password cracking program is to
>test whether my users' (and mine, ie root) passwords are strong, right?
>(that is my intended purpose). And how long do I let the password cracking
>program run before I assume my passwords are strong-- I mean one could in
>theory let the cracking program run for days or weeks. When is enough
>enough, when is a password considered strong enough (and how do I know if a
>password I create is strong enough to thwart crackers?)?

The program, AFAIK will finally quit.
However, for root or for yourself you should KNOW if your password is good
enough. It is silly to use the cracker program to test a password you know.

You can look up to see what the algorithm that the cracker uses. It is
primarily dictionary based. Ie it checks if the word is in a dictionary,
etc. In theory the cryptlib module in pam which checks the passwords when
you enter them should use the same type of program that the cracker does to
check the password when entered. Unfortunately Alex Muffet's idea of what
is a weak password and mine differ.

Proteus wrote:
> So for my purposes, the main (good) use of a password cracking program is to
> test whether my users' (and mine, ie root) passwords are strong, right?
> (that is my intended purpose). And how long do I let the password cracking
> program run before I assume my passwords are strong-- I mean one could in
> theory let the cracking program run for days or weeks. When is enough
> enough, when is a password considered strong enough (and how do I know if a
> password I create is strong enough to thwart crackers?)?

You should install cracklib and enable it in your pam.

This library will test the password when the user changes it,
if it's a (possible) unsecure password, it will warn the user.
You can also configure it to only allow 'secure' passwords.

This will enable you to have some control over the passwords of the
users, without the need of asking them what they entered as password.

I think this is what you need.


When is a password strong enough? Depends for what purpose it is used...





--
-------------------------------------
Christophe 'ElCascador' Vandeplas
GSM: +32 (0)486/64.10.33
email: christophe(at)vandeplas(dot)com
http://www.vandeplas.com
GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4 D698 3B2B E562 1491 3897
-------------------------------------
*** PLEASE ***
"Never send mass-mails/forward to this email address.
Please add the email-address to the BCC field (Blind Carbon Copy)
or send the mail separately to me."

Christophe Vandeplas <christophe@vandeplas.com> writes:

>Proteus wrote:
>> So for my purposes, the main (good) use of a password cracking program is to
>> test whether my users' (and mine, ie root) passwords are strong, right?
>> (that is my intended purpose). And how long do I let the password cracking
>> program run before I assume my passwords are strong-- I mean one could in
>> theory let the cracking program run for days or weeks. When is enough
>> enough, when is a password considered strong enough (and how do I know if a
>> password I create is strong enough to thwart crackers?)?

>You should install cracklib and enable it in your pam.

It is already there on most distributions.

>This library will test the password when the user changes it,
>if it's a (possible) unsecure password, it will warn the user.
>You can also configure it to only allow 'secure' passwords.

It is somewhat ideosyncratic in its choice of what a bad password is. It
was also developed for the old 8 byte crypt(3) password, and is not as
useful for the md5based bsd password hash now in use.



>This will enable you to have some control over the passwords of the
>users, without the need of asking them what they entered as password.

I will Muffet would have introduced password shaping (Ie so you could
specify what passwords types you felt were inappropriate) Muffet's choice
sometimes is too stringent and sometimes too lenient IMHO


>I think this is what you need.

As I said he probably has it. It comes standard with PAM.



>When is a password strong enough? Depends for what purpose it is used...





>--
>-------------------------------------
>Christophe 'ElCascador' Vandeplas
>GSM: +32 (0)486/64.10.33
>email: christophe(at)vandeplas(dot)com
>http://www.vandeplas.com
>GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4 D698 3B2B E562 1491 3897
>-------------------------------------
>*** PLEASE ***
>"Never send mass-mails/forward to this email address.
> Please add the email-address to the BCC field (Blind Carbon Copy)
> or send the mail separately to me."

> Mind you, I am no cracker, I just want to learn to harden my system, learn
> to prevent crackers from getting in.

You might check to see if your distros are compatible with Jay Beale's
"Bastille-Linux". He provides some ways for hardening.

Perhaps you other folks would like to comment on Bastille-Linux for the
newbie...

<http://www.bastile-linux.org/>

In article <dbjal5$bhb$6@nntp.itservices.ubc.ca>,
Unruh <unruh-spam@physics.ubc.ca> wrote:

>Christophe Vandeplas <christophe@vandeplas.com> writes:
>
>>You should install cracklib and enable it in your pam.
>>This library will test the password when the user changes it,
>>if it's a (possible) unsecure password, it will warn the user.
>>You can also configure it to only allow 'secure' passwords.
>
>It is somewhat ideosyncratic in its choice of what a bad password is. It
>was also developed for the old 8 byte crypt(3) password, and is not as
>useful for the md5based bsd password hash now in use.

What difference does it make what hash is used? I thought the cracklib
option would check the password the user entered _before_ it was
encrypted.

Lawrence D¹Oliveiro <ldo@geek-central.gen.new_zealand> writes:

>In article <dbjal5$bhb$6@nntp.itservices.ubc.ca>,
> Unruh <unruh-spam@physics.ubc.ca> wrote:

>>Christophe Vandeplas <christophe@vandeplas.com> writes:
>>
>>>You should install cracklib and enable it in your pam.
>>>This library will test the password when the user changes it,
>>>if it's a (possible) unsecure password, it will warn the user.
>>>You can also configure it to only allow 'secure' passwords.
>>
>>It is somewhat ideosyncratic in its choice of what a bad password is. It
>>was also developed for the old 8 byte crypt(3) password, and is not as
>>useful for the md5based bsd password hash now in use.

>What difference does it make what hash is used? I thought the cracklib
>option would check the password the user entered _before_ it was
>encrypted.

It has been a while since I looked at the source code but when I did it was
strongly set up for 8 character passwords.Thus if you give it more it would
just test the first 8 if I recall properly. Also the md5 passwrods can
esentially be of arbitrary length, whcih makes cracking them much harder,
and makes the use of password checking less useful.