Shadow password

from Wikipedia, the free encyclopedia
This article or section needs to be revised. Details should be given on the talk page. Please help to improve it , and then remove this flag.

The term shadow password is understood as a method for protecting passwords that is used in many Unix systems. The password is protected against access by unauthorized users, in order to prevent weak passwords from being broken by brute force or dictionary attacks.

Problem situation

Before the introduction of shadow passwords, all relevant user data , including the hash value of the password, was saved in a file. This file ( / etc / passwd ) had to be accessible (readable) for all users in order to enable application programs - for example to display file rights - to resolve user IDs to user names , and could therefore easily be used for attacks on the system.

Solution in Unix systems

The seemingly simple solution of separating the password hash and user data by two separate files requires an effective separation of user rights and system rights within the operating system, since access to the password hashes by unprivileged users, for example when logging into the system, must remain possible.

For the first time such a system was used by the Unix derivatives System V 3.2 and BSD 4.3 Reno. Users of other systems were initially excluded. In 1987, Julianne Frances Haugh developed the Shadow Password Suite , which originally contained the login , su, and commands passwd. The Shadow Password Suite was developed for SCO Xenix , but was soon ported to other platforms, e.g. B. 1992 on Linux .

distribution

In the meantime, shadow passwords have become the standard procedure in Unix and Linux. This successfully closed the security loophole contained in the original Unix concept and effectively prevented unauthorized access to the users' password hashes. The possibility for a normal user to abuse this with the help of brute force and dictionary attacks is limited, if not impossible. Various network-based authentication systems, such as Yellow Pages (YP) or Network Information Service (NIS), transmit the password hashes over the network and allow the attacker unauthorized access. The trend is therefore towards using stronger encryption methods for the passwords.

Web links

Individual evidence

  1. http://groups.google.com/group/comp.unix.wizards/msg/c90ab8dc75918192
  2. http://groups.google.com/group/comp.bugs.4bsd/msg/2ada37c991f02480
  3. http://groups.google.com/group/comp.sources.misc/msg/dcce54f8bd71c067
  4. http://groups.google.com/group/alt.sources/msg/cd6b178f686ad221