Password Audit & Securing

From Wiki

Jump to: navigation, search

Strong passwords are a MUST. Secure connections are also a MUST. I.E. no ftp etc.

Audit Passwords

To audit your passwords - you need to install a program called 'john the ripper' or simply "john"

apt-get install john
john -single /etc/passwd    # does a single pass
john -single /etc/shadow (if exists)
john /etc/passwd    # does all three passes
john    # to get all available options.
john /path/to/htpasswd  # also happily does htaccess passwords!

Hydra is the name of a similar app used to test password strength.
Source/More info: http://www.debian-administration.org/articles/59

Force Strong Passwords

apt-get install libpam-cracklib
# the above installs itself ontop of the 'passwd' command.
# issuing a passwd (changing password) will test the strength of the new password.
vi /etc/pam.d/common.password
#comment out the following line:
#password   required   pam_unix.so nullok obscure min=4 max=8 md5
#uncomment:
password required         pam_cracklib.so retry=3 minlen=6 difok=3
password required         pam_unix.so use_authtok nullok md5

Thats it. A user trying to set too short a password etc. won't be able. Legend:

retry=2 : Prompt user at most 2 times before returning with error 
minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option. 
difok=6: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one 
You can also apply following options to compute the 'unsimplicity' of the password. 
dcredit=N : Digits characters 
ucredit=N : Upper characters 
lcredit=N : Lower characters 
ocredit=N : Other characters 

Note: The restrictions are only applied to normal users. Root still can set a weak password.

References: http://darwish-07.blogspot.com/2007_06_01_archive.html http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html (Legend Info.) http://idahopcug.apcug.org/Debian/securing-debian-howto.en.pdf

Debain page -> http://packages.debian.org/unstable/libs/libpam-cracklib

Generate a Strong Random Password

pwgen
# as described already on this wiki here -> pwgen
Personal tools