[25] in linux-security and linux-alert archive
Re: Shadow Passwords?
daemon@ATHENA.MIT.EDU (Rik Faith)
Mon Mar 6 20:19:49 1995
Date: Mon, 6 Mar 1995 19:59:16 -0500
From: Rik Faith <faith@cs.unc.edu>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: [Don Bennett <don@engr.mun.ca>] Sun 5 Mar 1995 19:59:45 -0330
CC: faith@cs.unc.edu, don@engr.mun.ca
Reply-To: linux-security@tarsier.cv.nrao.edu
In general the "shadow password" technique is set up as follows: For all
entries in the /etc/passwd file, the encrypted passwords are moved to
another file, such as /etc/shadow. While /etc/passwd needs to be readable
by the anyone on the system, /etc/shadow needs only to be readable by a
restricted group, perhaps only the superuser. This is supposed to keep
adversaries from obtaining the encrypted password list and running a
dictionary attack against it.
This idea of "information hiding" is one of many techniques that broadly
fit under the category of "security through obscurity." Based on people
who I have talked with in the Linux community, there are two main opinions
about "security through obscurity": 1) it might help and it can't hurt, so
let's use it; and 2) it actually can hurt because it provides a false sense
of security and should not be used.
I'm sure people will point out many advantages of using shadow passwords,
so I'm going to talk about the disadvantages.
The main assumption when dealing with a shadow password system is that use
of this system guarantees that an adversary will not get your encrypted
password list. However, there are many ways humans can make mistakes which
will lead to the release of the password list. Perhaps the "adversary"
actually has had root access in the past, perhaps by being in the
sysadmin's office at the right time, or by being a former employee. The
"adversary" might not have had the time (or the foresight) to install any
backdoors, but may have swiped your password file. Or there may have been
some error made in the permission setting of the /etc/shadow file --
perhaps someone did a "chmod a+r /etc/*" without thinking about the
implications for /etc/shadow. Or there may have been a security problem
that you just fixed after reading a CERT advisory, but which made your
password list readable by anyone in the world. I'm sure you can think of
many other situations in which the contents of the /etc/shadow file could
be unwittingly released to an adversary.
The problem with using systems like shadow passwords is that these systems
give you a false sense of security -- in this case, they make you think
that your password list is safe and secure. The warm, fuzzy feeling
provided often prevents sysadmins from using superior, proactive methods
for protecting the password file.
The simplest, most-bang-for-the-buck proactive system is a simple
replacement for passwd. No other system utilities need be changed -- only
/bin/passwd needs replacing. There are currently several replacement
passwd programs available in the unix world, such as Matt Bishop's passwd+
from dartmouth.edu:/pub/security and Mark Handerson's ANLpasswd from
info.mcs.anl.gov:/pub/systems. Basically, when a user changes her
password, these programs compare the selection to a dictionary (and to the
gecos field, etc.) in the same way that a password cracker would. If the
user has selected a "weak" password, these proactive programs force the
user to make another selection.
Without using a proactive password checker, you must always worry about
password cracking attacks (research over the last 15 years suggests that,
without a proactive checker, a large percentage of your users will select a
simple, crackable password, often a women's first name). If you depend on
a shadow password system to protect your passwords, then the release of
your /etc/shadow will almost guarantee that your system is vulnerable.
However, when using a proactive password checker, you can broadcast your
passwd file to the world knowing that there is a fairly low probability
that it contains passwords which are crackable in a reasonable amount of
time. Forcing users to periodically select new passwords can also reduce
this probability.
