Yuppa, Christian Röpke wrote: [...]
ok, but if we knows, that there is a way to crack the shadow file, why don't we use a secure algorithm ? (triple DES or AES) Are there no implementation for this algorithms ? (a DES cracker-maschine costs about 100.000 $)
because it's not in the current security focus anymore. Of course there are still ppl who conduct massive brute-force/dictionary/leaking attacks against servers, but this also leaves a comparably big audit trail in the system; in most Linux (and Unix) distros/derivates, failed login attempts will logged to a file, say /var/log/messages or whatever your mileage may be. Even very dumb/uninspired admins would notice this. I don't say that they'd do something against it, but they sure would notice it... |-) The *real* problem are clear-text passwords, as used in telnet, ftp, pop3, etc. Most attackers would not go the hard and tedious way of feeding a 100 MB dictionary with even more strange words and phrases in order to find a couple of lousy passwords for some pop3 accounts, all they would have to do is to abuse one of the many obvious and not-so-obvious flaws of demons/servers, apps or protocols, get into the machine, install a sniffer, and finally harvest the passwords for an easy return to the victim system. If I got you right, you haven't implemented any deeper security on your system(s), so there we go... If an attacker would be able to get your shadow and passwd, you would have more to worry about than the question wether your password salts are DES (=crap) or 3DES (=triple crap) encrypted. Boris ---