Creating User Passwords

by mike on June 19, 2010 Creating User Passwords The “-p” useradd option allows you to create a password at the same time that you create a user account. However, for two reasons, it’s an option that you really don’t want to use. First, it doesn’t hash the password. So, when you look in the “/etc/shadow” file, you’ll see the password there in plain text. Second, by entering the password as part of a “useradd” command, it’ll show up in your shell history, also in plain text. Your best bet is to ignore the “-p” option, and use two separate steps to create the user account and the password. useradd jane passwd jane The passwd command is used to create the password for each user. Users forget their passwords. Often the administrator will be expected to reset those passwords. Looking up passwords is not a possibility because they are encrypted in storage. A new password must be created with the passwd command. To reset the password for user john: passwd john Then you will be prompted to enter a password twice. Password Control The command usermod can be used to create several password aging attributes. Here are several options: -c comment -d home_dir -e expire_date -f inactivity -g group -G grouplist -l login_name -m -s shell -u user_id description of the user change the home directory assign an expiration date in the MM/DD/YYYY format number of days before account disabled change primary group set the list of groups that the user is in change login name for user used only with -d option, home contents copied to new home directory indicate a new shell change user ID

Modify an account. sudo usermod -e 05/01/2011 jane

The modified /etc/shadow shows the change to jane’s account. jane: $6$K0Y7yctA$kk2cxELHsfbDX4WMm4/XPMmuluzZoYMpTpzr7Um/E06iLO1xuyDtmgR7jk ROwR 0iuWF65p7XEmpmCsHpPBmKP0:14769:0:99999:7::15095: Check Password The command chage -l can be used to show the status of a user’s password protection. Let’s say you wanted to check the status of jane’s password. chage -l jane Last password change : Jun 09, 2010 Password expires : never Password inactive : never Account expires : May 01, 2011 Minimum number of days between password change :0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 Choosing the correct password, as well as informing and enforcing password security for users is an important task for the administrator. Security is built upon passwords, so close attention should be paid to making passwords an effective tool in security. Aspects of a Good Password 1. 8 characters or more 2. use numbers in the password 3. use letters in the password 4. use case in the password 5. avoid dictionary words These five aspects are critical because software programs can employ “brute force” tactics to try to guess passwords on your network. Using the five aspects above will make it more difficult to crack your passwords. Security usually begins with most systems at the user level. One of the most important aspects of user security is the user password. A lot of security can go down the drain with poor passwords that can be easily cracked. Several important elements of a user password are length of the password, randomness and the forced creation of new passwords at regular intervals. Most users resist all of these elements. The length of a password is directly proportional to the ease at which it could be cracked. As a result all passwords should be at least 8 characters long. In addition, passwords should not be based on dictionary words, they should be random. It is easier to crack passwords based on dictionary words as cracking programs typically start with dictionary strings. One way to make secure passwords is to create passwords from phrases that are common to you. For example in the phrase ” I live at 101 Maple Street in Phoenix Arizona,” could be turned into the password Ila101MiPA

This is a password built on the first letter of each word to create a secure password. Remember Linux is case sensitive. Password Management allows you to force changes in the password or have the account be automatically disabled in a period of time. It is a good idea to force users to change their passwords at regular intervals. Of course this is even more important for administrator’s to do as well. The downside to this is that users forget their passwords if forced to change often making possibly a worse situation.