Tuesday, October 16, 2012

Root Password made hack proof

  Unix  security and  super-user passwords, or  even  individual users passwords,  can be made almost hack proof by using some simple  concepts such as creating hashes.

  My general rule has always been to craft a password of at least 8 characters,  &  with at least one  Numerical and non-Alpha character and one Capitalized letter.


hommelite  would be a very bad password

Hommelite would still be a very bad password

H0mm3l1te would be much ideal and better but similar to homelite which is a dictionary word

   It's also preferred to not make a password off any dictionary based word, nor in any recognized language.

  I have approx 7gigs of  dictionary words, comprised of  English, French, Spanish, Afrikkan and a few other languages such as klingon :)  and these dictionaries have been modified with the simple unix "sed" substitution utility  methods  such as; changing "e"s to 3  or "i"s to 1 and so on. So if you use anything in that fashion  in your WifI PSK or passwords, I can crack those passwords within 7-21days on my fastest machines.

So what's one to do?

  Will the best  passwords are sometimes the hardest to remember. And then password management of these passwords get to be tiresome and cumbersome. I have a hack that I've been using for the last 5+ years that has been faultless. All of my encrypted password vaults or FileSystems are done this way at bare minimum.

Here's how we do it; Take your password or passphrase and hash it. Yes convert a simple secured password into a hash. If your real paranoid, hash the hash again or with another hash utility.

e.g using the common md5 hash alogrithim

sh-3.2$ md5 -s "here's my password"
MD5 ("here's my password") = afc87cfc34e9c6ea28dd239f7343d08f

So a simple phrase is taken and hash and the result hash will be use for that user password. It's quite long,  but it has no Capitalized characters of non-Alpha characters. If you believe you need this, then substitute the first and last characters or append a "salt" if you will like,  to the hash.

So now   afc87cfc34e9c6ea28dd239f7343d08f  becomes Afc87cfc34e9c6ea28dd239f7343d08f! for example.

Note: a true Salt is a random string append before the hashing operation, so you can do it this before or after.

e.g using a salt of  ^7yUkJ and the same passcode, or above would net me the following depending if I did it infront or behind the text to hash;

sh-3.2$ md5 -s "here's my password^7yUkJ"
MD5 ("here's my password^7yUkJ") = 3123ceebddaac4cb13fbb1aea0670935
sh-3.2$ md5 -s "^7yUkJhere's my password"
MD5 ("^7yUkJhere's my password") = 6ad22c1b4474abfdfc1986b259a11551

So no one will remember the Afc87cfc34e9c6ea28dd239f7343d08f! but they can easily remember the phrase that created the password.

A few hash utilities that I like and have used;

sha1 or sha256

Play around with this concept and approach and you can come up with some very simple, but yet effective  password strategies that would be very hard to break. A 33 character  password would take on average......Will go here and see it for your self  https://www.grc.com/haystack.htm

Also a few  key things to think about;
  1. you still need to change your password , and manage some type of life-cycle-expiration
  2. A strong password that's not  secured, is no good to the user
  3. use common sense with the execution and security of the passphrase ( i.e don't send it in the email or via regular HTTPs or FTP,etc...
I hope you found this  blog, as being helpful

Ken Felix
Your Security and Network Engineer
kfelix  at hyperfeed.com

No comments:

Post a Comment