Explaining Shadowed Passwd Files.

Since there are so many newbies out there that dont know what is the difference between a shadowed passwd file is, and a regular passwd file, I have decided to write this small but yet informative file.


So you have your basic unix box. As we all know there is a password file in /etc/passwd, the passwd file contains all the usernames and DES encrypted passwords, if however you see all the logins but instead of the encrypted password you see a x,* or in some cases a ! It means the passwd file is shadowed


A shadowed passwd file is no good. There are rumours it can be
cracked, this is partially true, there is a script that supposidly unshadow\'s shadowed passwd files, however you need to be in a shell on the computer you are attacking. However, thats not the lame part, the lame part is that people think they can download a shadowed /etc/passwd file, put it on their
computer and use a cracker such as cracker jack, or John the ripper to crack it, what is this insanity is everyone around me computer illetirate, hopefully not after you finish reading this text phile.

Well for all you people who thought that, i have some disturbing news to tell you it simply isnt possible s give it up. Think about it! When you have passwd shadowing, the computer stores the file which is shadowed in the /etc/passwd file, and
the one that has the encrypted passwords in /etc/shadow or depending on the system it could be somewhere else, take BSD for example it\'s password file that has the encrypted password is called /etc/master.passwd.

So that is why you simply cannot crack all those passwd files you find at the .com,.net,.edu, or .org domains, you especially won\'t have a chance in hell if you\'re on a winblows 95/98 box, so go buy linux.:pink:

Regards

Good Info :greenthum

If you quoted it from somewhere, maybe you should mention the source.

well thank you, it is my own article and not quoted down from anywhere, if u find it on any other forum or website, plz do check the name ( it might be me only )

Not really sure how this relates to the hosting community, but ok.

Password protection is only as good as the password behind it. What I mean is that any (any) password can be brute forced, it's just a matter of time.

Example:
I routinely run a program called john the ripper (not going to link to it here, but you can find it @ freshmeat). This application will crack damn near anything, though it takes time.

The reason for running this? I want to make sure that my servers (and those watched by myself) are reasonably secure. Usually I'll pull out a list of about 20-30 users within 10 minutes. I let it go for a week, and I'll pull quite a few more.

Now, if you're talking security on web applications, that's a completely and totally different area. What I'm in the process of doing now, with my cms setup is triple password encryption, meaning:

The user's password is encrypted using a user key
The user's key is then encrypted using a system key

In other words, you've got to break 2 pretty decent MD5 keys to just get to the user password. This (somewhat) protects from the vulnerabilities associated with weak passwords, though you're still going to have a huge vulnerability there.

Instead of quoting portions of articles, you should quote the whole thing, and post references, next time so that the rest of the community knows where to go to get them ;).

I wrote this article years before and i wanted to let you know one thing.

it is not easily to break all passwords using brute force algorithim, well it depends upon the encryption side how secure is your password. ( can u break RAS algorithim )

it is not easily to break all passwords using brute force algorithim

Didn't say it was "easy", as I said it depended on the password, but it CAN be done, in some cases, easily, in some not so.