:LinuxWorld: Illuminating shadow passwords - What the software is, how to get it, how to use it
LinuxWorld: Illuminating shadow passwords - What the software is, how to get it, how to use it Jul 31, 2000, 23 :27 UTC (0 Talkback[s]) (1999 reads) (Other stories by Paul Dunne)
"Why shadow passwords? Simply put, the shadow password scheme addresses the major shortcoming of the
original Unix password-handling scheme, the fact that the password list was stored as a world-readable file."
"The encoding mechanism for Unix passwords was (and is) very secure, being a one-way algorithm and therefore
easy to apply but impossible to reverse. However, the password file itself is vulnerable to a cracking technique
known as a dictionary attack, in which all the words from a large dictionary file are encoded and compared with the
encoded password (readable by any user, remember) in /etc/passwd. This dictionary file is usually based on a
normal English-language dictionary, with the addition of slang and weak passwords like "gandalf," "xyzzy," "qwerty,"
or even (God help us) "password." If the two match, then the original unencoded word is the password."
"This may sound simple, but it takes a while to run the
tens, or hundreds, of thousands of dictionary entries
against a single password. Still, it is not extremely
difficult with today's high-performance computing
systems. Shadow passwords retain the Unix password
mechanism and its backward compatibility with the huge
Unix application base, while preventing the dictionary
attack."
