Ensuring Secure Passwords

Passwords are the literal keys to your system. Break-ins occur for a variety reasons, but topping that list is weak passwords.

Weak passwords are easy to guess or break, and malware and botnets frequently target passwords to gain access. They often use a brute-force method, which means they try password after password to find one that's in a password dictionary or words in common use.

You must perform a few important tasks to harden your server with regard to passwords. First, ensure that there are not any accounts with empty passwords — in other words, accounts without passwords. The following command can identify whether any exist.

# awk -F: '($2 == "") {print}' /etc/shadow

Figure 5-1 shows the result of running the command with an account on a server that does not have a password. A hash of the password should appear next to the user tom.

Figure 5-1: Empty password found

image

If you find any of these accounts, either assign a password to the user, or delete the user.

Shadow Password File

A shadow password file stores the encrypted password (technically it's encoded, not encrypted) for users. This file can only be read by the root user, which prevents the dictionary attack from being successful.

The original implementation was built in 1987, after its author experienced a cyber break-in on a SCO XENIX operating system. It was ported over the years to various ...

Get CMS Security Handbook: The Comprehensive Guide for WordPress®, Joomla!®, Drupal™, and Plone® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.