December 6, 2004

CLI Magic: passwd and passwords

Author: Joe Barr

I don't want to disturb your GUI-induced nap, but for your own good -- and for the security of your system -- you need to be concerned about two things: learning how to use the passwd command and learning how to create strong passwords. Yes, it may require a teensy tiny bit of effort on your part, but consider the alternative.The passwd command is easy to use. As a regular user, simply type the command at the CLI. You'll see something like this in response:
warthawg@linux:~> passwd
Changing password for warthawg.
Old Password:

You're asked for the old password as a matter of security. So if you've just gotten up from your desk to get a fresh cup of coffee, walk-by evil-doers are not able to play a prank on you by changing your password and locking you out of your own system. Once you've entered the old password, you're asked for the new one, and then asked to repeat it. If you enter the same new password twice, it's changed. It looks like this. Note that the actual passwords you've typed do not show up on the screen.

New password:
Re-enter new password:
Password changed.

If you want to change another user's password, the format for the command is slightly different, and you must do it as root. Instead of simply typing passwd, you enter passwd username. It goes like this:

linux:/home/warthawg # passwd username
Changing password for username.
New password:
Re-enter new password:
Password changed.

Note that as superuser, you're not asked to provide the old password, just the new one. It's good to be king. As with all the other commands we cover in this column, be sure and visit with the man -- man passwd that is -- to learn more about passwd and what else you can do with it.

So why -- since passwd is such an easy command to use -- bother to do a column on it? Good question, lightning bug. The answer is that it's almost as easy to crack weak passwords as it is to change them.

What's a weak password?

Basically, any name or dictionary word is weak. Why? Because password cracking software works very well and very quickly from word lists which probably contain the one you're using. Even using the small, sample wordlist that comes with the John the Ripper download, the program cracked two user account passwords on my system in half a second. That's weak.

Dates are weak, too. Especially if the cracker knows you and your birthday, anniversary, children's birthdays, and so on.

What's a strong password?

Here are my seven rules for making strong passwords. I'm not exactly an expert on the subject, so you may want to create your own list of best practices for your password administration.

  • Do not use dictionary words
  • Do not use names
  • Do not use dates
  • Do not use the same password elsewhere
  • Do mix upper-lower case
  • Do use at least 6 characters
  • Do change it now and then

The strongest password would be a random string made up of mixed case, alphanumeric characters. Something like 8TY1khRz. But the problem with truly random passwords is that they are not just hard to crack, they are hard to remember. So you either have to memorize them -- and if you're like me, you still might forget them -- or write them down where you can find them. The problem with that, of course, is that means others can find them too.

If you do have to write them down, keep them in your wallet. You're unlikely to lose that or leave it lying around, making it better than a slip of paper at your desk or taped to your monitor that anyone can see.

Better yet is to come up with a mnemonic to help you remember the password, instead of writing it down. The password shown above, for example, would be easier to remember as "Eighty-one kilohertz" than as 8TY1khRz.

Just remember, you get a better starting point for security with Linux than with Windows, but you are still the most important element in your security. Don't take your passwords for granted.

Click Here!