password security in *nix systems?

Thanks all and extra points to Edward Leiper for style :-)
It seems I was on safe ground when I voiced my scepticism.

Another thing struck me later yesterday. It was also claimed that all
that data and tons of other corprorate sectrets were down-loaded through
an unprotected connection at a trade show and this had taken a mere
20 minutes. That must have been quite a connection!

--
================================================== ======================
Martin Schöön <Martin.Schoon@gmail.com>

"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
================================================== ======================

Schöön Martin wrote:

> I have a question regarding password safety and encrypting in unix
> and unix-like systems.
>
> Today I heard a story about a guy who had broken into the computer
> systems of a large corporation. The story teller claimed this guy
> had managed to download, among other things, complete lists of all
> unix accounts and the corresponding passwords.
>
> I have been a unix user since the 1980s and I have been told by
> various support persons that in unix the passwords are encrypted
> and if I forget mine I have to get a new, temporary one from my
> administrator because there is no way to look up and decrypt my
> password.
>
> What is the truth on this matter?
>

The honeypot project people set up some systems to see how
they got broken into. Linux systems usually fell to brute
dictionary attacks. The second most successful attack was
unpatched and vulnerable software. Decrypting a password
is hard, but that is not how systems get broken into.

Systems that have people using passwords that can be guessed
and do not have something set up to halt such dictionary attacks
will get cracked. Same thing with ssh passwords. Another
favorite cracker point of entry.

Once a cracker gains root, adding cracks that go around
all security is usually a snap. They can add backdoors
that don't even involve usual passwords.

Sniffers get you the passwords you need then.
The cracker logs on through his backdoor and downloads
sniffed logins and passwords.

They don't even try cracking encrypted password files.



--
"If lightning is the anger of the gods, the
gods are concerned mostly with trees."
- Lao Tse

Cheerful Charlie

Unruh wrote:

>>Today I heard a story about a guy who had broken into the computer
>>systems of a large corporation. The story teller claimed this guy had
>>managed to download, among other things, complete lists of all
>>unix accounts and the corresponding passwords.
>
> Sure. hashed passwords. They then have to run an exhaustive search against
> the hashed list to discover the actual password. I am not sure why anyone
> believes anything that a "freind who heard it from a sister in law who
> heard it from her milkman" says.

Are you talking about the OP? Why would you "accuse" him of
such naiveness? First of all, he did not say how many levels
of "hearsay" the story went through -- for all we know, he
could have read it in CNN (in which case there's no dount
about whether or not we should believe it ;-))

But second -- who said that anyone is believing anything?
The fact that he's asking here simply means that he is giving
the story the benefit of the doubt. That seems like a very
sensible thing to do -- asking here is a sensible thing to
do.

Give the guy a break! :-)

>>I have been a unix user since the 1980s and I have been told by
>>various support persons that in unix the passwords are encrypted
>
> It is hashed not encrypted. If it were encrypted it could be recovered.

Nit pick -- no, not really. If ou encrypt the text with a key
that is obtained from the text, then it can not be recovered.
Or if you encrypt with a public key for which the private key
has been discarded (which the system could have, for the sole
purpose of encrypting the passwords).

I know that you're going to say that what I describe above is
not encryption, but hashing -- I'm not sure if that would be
a valid claim (semantics!); what I'm saying is that the term
"encryption", taken literally, can mean many things (in fact,
I recently read a book that talks about "one-way encryption";
that's the name they give to hashes -- I'm not sure if that's
a standard/accepted term; it certainly is the first time I
see that term to refer to hashes)

Carlos
--

Carlos Moreno <moreno_at_mochima_dot_com@mailinator.com> writes:

> Unruh wrote:
>
<snip>
> > believes anything that a "freind who heard it from a sister in law who
> > heard it from her milkman" says.
>
> Are you talking about the OP? Why would you "accuse" him of
> such naiveness? First of all, he did not say how many levels
> of "hearsay" the story went through -- for all we know, he
> could have read it in CNN (in which case there's no dount
> about whether or not we should believe it ;-))
>
> But second -- who said that anyone is believing anything?
> The fact that he's asking here simply means that he is giving
> the story the benefit of the doubt. That seems like a very
> sensible thing to do -- asking here is a sensible thing to
> do.
>
The OP (me) heard this at work and voiced some scepticism. Then
the OP (me) wanted to double check. The rest is history as they say.

--
================================================== ======================
Martin Schöön <Martin.Schoon@gmail.com>

"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
================================================== ======================