Date: Thu, 13 Nov 1997 10:05:51 -0800 From: Julian Elischer <julian@whistle.com> To: "Randy A. Katz" <randyk@ccsales.com> Cc: Steve Hovey <shovey@buffnet.net>, questions@FreeBSD.ORG Subject: Re: ARE THEY ABLE TO CRACK UNIX PASSWORDS??? Message-ID: <346B417F.794BDF32@whistle.com> References: <3.0.5.32.19971113081706.00c0a960@ccsales.com> <3.0.5.32.19971113085135.00a3ce20@ccsales.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Randy A. Katz wrote: > > OK. > > We're using master.passwd, it seems they can just pull down this file and > crack it. They got my root passwd and logged in and created other users > which have root access. The password they got is something like 5693k. Did > they actually get it from sniffing? > > I just can't believe they guessed that password!???! > > This guys' driving me nuts! Help! > > Thanx, > Randy Katz > > > > >You cannot decrypt a unix password - however you can guess them, and there > >are utilities that look at the salt part of the password field of the > >password file, then encrypt a dictionary - and or common permutations of > >userid and gecos field info. > > > >If you use the master.passwd scheme and do not use NIS then they cant do > >much of anything unless they gain root access or via some trick get a copy > >of master.passwd - even then they gotta run guess software per above. > > > > are you keeping up with revisions? there are ways of getting in that bypass the passowrds.. we fix them as we find them.. so you need to keep up. what version are you running? are /etc/master.passwd and /etc/spwd.db only readable by root? check the sanity of all suid binaries... get the 2.2.5 CD and run the upgrade option. julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?346B417F.794BDF32>