[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Help! forgot password of virtual site!
- Subject: Re: [cobalt-users] Help! forgot password of virtual site!
- From: Fabrice Prémel <fabrice@xxxxxxxxxx>
- Date: Mon Oct 16 12:09:30 2000
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>Yes, user passwords are found in /etc/shadow (readable only by
root).
>
>Here's an example (I made this one up, so don't bother trying to
>crack
>it):
>
>wcwxv:v7IjIdbSXcVc.:11119:0:99999:7:::
>
>The colons ( : ) are the field separators. The first, leftmost
>field,
>in this example "wcwxv", is the username, the password is encrypted,
>represented by "v7IjIdbSXcVc.". It's a one-way encryption, but
there
>are hacker programs out there.
>
Let me emphasis here : the crypt() function uses a one-way
encryption. 'Hackers programs' work by brute-forcing via a
dictionnary. A well chosen passwords is not guessable, without
considerable computing power. Considerable means a super-computer,
for example.
(a small note to the original question : as root, you can type
'passwd blah' to change blah's password if you prefer not editing
/etc/shadow)
>Why don't you just give it another password. Here's what we tell
our
>customers: "Sorry, we don't save a record of your password. What
we
>can do is install a new one for you; what password would you like?"
>
I would not advice that, unless your customers really knows how to
pick a password. Not letting them choose is the best way to be sure
that only good passwords will be used.
Of course, this is a balance between security and ease-of-use, which
is a company's policy.
Hope that helps,
Fabrice Prémel.