[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Checking user password

Subject: RE: [cobalt-users] Checking user password
From: "Chris Demain" <cdemain@xxxxxxxxxxx>
Date: Wed Dec 5 19:32:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

If you're running it on the server itself, Crack
(http://www.users.dircon.co.uk/~crypto/download/c50-faq.html) may be a
better choice than John, as its libraries are already in use by Red Hat
Linux (and other distros) as password sanity checkers.  Personally, I'd
rather save the CPU cycles on my RaQ for serving web pages and crack
passwords on the (usually idle) Wintendo machine I have at home.  For
standard UNIX passwords this is not too difficult a task.  For MD5 passwords
(begins with the string: $1$), you may as well just set it instead.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Steve Werby
Sent: Wednesday, December 05, 2001 2:19 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Checking user password

"Kham Vue" <kvue@xxxxxxxxxxx> wrote:
> I have RAQ4 and RAQ3.  Is there a way to check the user's password?

Not directly.  The passwords are stored one-way encrypted, meaning they
can't be decrypted.

> If someone forgot their password, I usually change their password via
> the control panel.

That's about the best you can do, unless...

> Is there a way just to see what it is instead of changing it?

You could use something like John the Ripper, which is a password cracker
you can install on the server.  It works by taking a list of words,
word-number combinations, etc. from a dictionary and encrypting them, then
comparing the encrypted results with the encrypted passwords stored on your
server.  If there's a match it notes the cracked password.  It's good for
detecting weak passwords and can actually detect them very quickly, but if
the passwords are strong then it's not effective for your purposes (that's a
good thing) since by the time it cracked the password (if it did) your user
would have likely taken their business elsewhere.  On a few servers I manage
I run it periodically to check for weak passwords, then I contact the users
with weak passwords and ask that they change them.

John the Ripper: http://www.openwall.com/john/

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- Re: [cobalt-users] Checking user password
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] how to add an defaultalias?
Next by Date: RE: [cobalt-users] RAQ web based e-mail suggestions...?
Previous by thread: Re: [cobalt-users] Checking user password
Next by thread: Re: [cobalt-users] Checking user password

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index