Password Audit & Securing

From Wiki

Jump to: navigation, search

Strong passwords are a MUST. Secure connections are also a MUST. I.E. no ftp etc.

Audit Passwords

To audit your passwords - you need to install a program called 'john the ripper' or simply "john"

apt-get install john
john -single /etc/passwd    # does a single pass
john -single /etc/shadow (if exists)
john /etc/passwd    # does all three passes
john    # to get all available options.
john /path/to/htpasswd  # also happily does htaccess passwords!

Hydra is the name of a similar app used to test password strength.
Source/More info:

Force Strong Passwords

apt-get install libpam-cracklib
# the above installs itself ontop of the 'passwd' command.
# issuing a passwd (changing password) will test the strength of the new password.
vi /etc/pam.d/common.password
#comment out the following line:
#password   required nullok obscure min=4 max=8 md5
password required retry=3 minlen=6 difok=3
password required use_authtok nullok md5

Thats it. A user trying to set too short a password etc. won't be able. Legend:

retry=2 : Prompt user at most 2 times before returning with error 
minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option. 
difok=6: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one 
You can also apply following options to compute the 'unsimplicity' of the password. 
dcredit=N : Digits characters 
ucredit=N : Upper characters 
lcredit=N : Lower characters 
ocredit=N : Other characters 

Note: The restrictions are only applied to normal users. Root still can set a weak password.

References: (Legend Info.)

Debain page ->

Generate a Strong Random Password

# as described already on this wiki here -> pwgen
Personal tools