From owner-freebsd-questions Tue Oct 2 1: 7:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id 1EDF337B405 for ; Tue, 2 Oct 2001 01:07:50 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.128.178.Dial1.SanJose1.Level3.net [209.245.128.178]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA26597; Tue, 2 Oct 2001 01:07:45 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f9287c203609; Tue, 2 Oct 2001 01:07:38 -0700 (PDT) (envelope-from cjc) Date: Tue, 2 Oct 2001 01:07:38 -0700 From: "Crist J. Clark" To: Nathan Mace Cc: Jonathan Chen , freebsd-questions@FreeBSD.ORG Subject: Re: shadow passwords Message-ID: <20011002010738.J304@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011001232941.5db52eb7.nmace85@yahoo.com> <20011002153410.A92785@jonc.itouch> <20011002000339.3417c5d7.nmace85@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011002000339.3417c5d7.nmace85@yahoo.com>; from nmace85@yahoo.com on Tue, Oct 02, 2001 at 12:03:39AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Oct 02, 2001 at 12:03:39AM -0400, Nathan Mace wrote: > On Tue, 2 Oct 2001 15:34:10 +1200 > Jonathan Chen wrote: > > > On Mon, Oct 01, 2001 at 11:29:41PM -0400, Nathan Mace wrote: > > > does freebsd support shadow passwords? > > > > FreeBSD does not show the encrypted password in /etc/passwd. It's > > stored > > in /etc/master.passwd, and the only way you can see it is if you've > > got > > root privileges. And if someone has root, the system's open to them. > > > sweet...thats what i wanted to know...but what about making the > master.passwd entries harder to crack? what would keep them from > somehow getting a copy and using pure brute force to crack it? i'm > currently using MD5(i think, not sure) is that the best encryption to > use? The limitation of DES is the eight-character limit. If you are using eight characters or less, there is really no difference whether you use DES or MD5. The methodology to crack either would be identical and the differences in computation time would not really be important. Using MD5 is really only better if you use passwords greater than eight characters long (of course, one might argue that just because you use MD5 you _could_ be using longer passwords could discourage an attacker, but that's not real security). In any case, do not use easy to guess passwords, i.e. dictionary words, common mispellings, appending or prepending a number, or substituting a number for letter (changing 'e' to '3,' or 'l' to '1', etc.). > also i read in the handbook how you can tell...the MD5 entries have a > $1$ in them...my root passwd has it but my user account doesn't...whats > up with that? I recall that there once was a bug that caused this (was it never fixed?), but it can also result from pilot error. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message