GeodSoft logo   GeodSoft

Good and Bad Passwords How-To

Basics of Password Encryption and Storage; Definitions of Terms

Password Encryption and Storage

Until the late 1980's UNIX systems stored user's encrypted passwords, usually referred to as hashes, in the file /etc/passwd. These hashes are generated by using a user entered, plain text password as a key to an encryption algorithm. This encrypts a constant and creates a resulting unique gibberish string (hash) which is saved. When the user next logs in, their password is passed through the same encryption process, and if the result equals the saved hash, the user is allowed entry since they provided the correct password.

Though encryption algorithms have changed over time and may differ from one operating system to the next and the resulting hash is stored in different locations for different operating systems, the basic approach is pretty much universal.

The encryption algorithms are one way. There is no known way to take the hash and reverse the algorithm to derive the password. If this is not true, then the algorithm is not suitable for hashing passwords. Passwords can be guessed though. If a test password is passed through the encryption algorithm and the resulting hash is the same as the stored hash, then the password has been successfully guessed.

Security of the Password Hashes

UNIX systems' /etc/passwd file is world readable. Anyone who gains any kind of access to a machine can copy the passwd file and move it off the system by any means that might be available to them including e-mail, FTP, HTTP, NFS, scp, optical media, USB stick, and others. The attacker can then attempt to crack (systematically guess) passwords at their leisure; the methods will be discussed later.

HTTP may seem an odd way to get a file off a computer. It's actually quite attractive. The attacker only needs a web server on one of their computers with a file upload script; this is easy to set up. The attacker can run any text browser on the attacked system; most Unix like systems have one or more text browsers installed by default. This approach is more likely to get past a tightly configured firewall than almost any other method.

In the late 1980's Sun began using a shadow password file which was not world readable. The password hashes were no longer placed in /etc/passwd but the shadow password file, often /etc/shadow, which should be readable only by root (the system admin). The /etc/passwd file was retained with the other less sensitive information so that programs that needed the other non password information could continue to run without modification or special privileges. The few programs such as login and passwd that actually need the password hash, have special privileges so that ordinary users can run them. Since about 2000, nearly all UNIX systems use or can use shadow password files, though they may not be called shadow. Any system that doesn't, should be configured to do so, upgraded or replaced.

Windows NT systems never had the specific vulnerability of a world readable password file. NT passwords are stored in part of the registry known as the SAM. Passwords for Windows 2000 and later Windows systems may be stored in the SAM or the directory if Active Directory is enabled. These are in continuous use, i.e. held open, by the operating system as long as it's up, so the SAM or directory can never be accessed as an ordinary file. They must be accessed through an appropriate API, which is implemented in various utility programs. Access to security sensitive information typically requires system or administrator level access. NT's successors, XP, Vista, Windows 7 and 8, and variously named servers continue to use the same basic password storage approach as NT and 2000. Though Windows never had a problem similar to early Unix systems, nearly everything else about Windows password storage is flawed in other ways. I'm working on an update to the Windows Poor Password Encryption page.

Though the current situation is better than the early UNIXs, it's naive to think that the password files are secure just because they can't be read by every user as an ordinary file. On UNIX, anyone with root access can read the shadow password file as an ordinary file and on NT regback from the NT Resource Kit will make a perfect copy of the SAM, while it's open by the system. Also pwdump, a small free utility, can copy the account and password hashes from the SAM to a text file that can be fed to cracking programs. On newer Windows systems, other programs perform similar functions. NT system recovery disks provide another simple way to export the SAM data. The situation remains much the same with more recent versions of Windows. On all Windows systems, anyone with unattended access and a properly made Linux boot CD or DVD can copy the accounts and password hashes to a USB stick or have the necessary tools installed to use any of the methods discussed above for Unix systems. The only requirement is that the optical drive be set to allow booting; if not on, it can be turned on in less than a minute on virtually all PCs.

If you search the Internet for types of security attacks, about half the results include network, Internet or a related word in the title. Even in most of the articles that have nothing in their title related to networks, there is little or no mention of physical security. People forget, don't know, or are not interested (computer people are technical and physical security tends not to be) that historically most security compromises have come from the inside, employees or contract personnel like cleaning crews that nearly always work without supervision. This may be shifting somewhat but where numbers can be found, the inside still represents more of a threat than the outside; not all inside security issues are intentional. In an article written sometime between 2008 and 2013 and titled Types of Security Threats wrote that the Computer Security Institute found that of companies with security breaches, 60% came from internal sources.

Staff with administrative access, who are not honest, can easily provide the necessary account names and password hashes to a potential intruder who has provided an appropriate inducement. A departing administrator can take or transmit this information and subsequently use it to crack passwords to which they would not normally have had access. Whenever any computer or network administrator leaves an organization, all administrative account passwords should be changed on all systems to which the departing administrator may have had access; this applies to both Unix and Windows systems.

Generally, unless they are misconfigured, modern systems require that a user or process already have root or administrative access before the user account and password hash information can be obtained. The following examples show, this does not necessarily mean possession of a valid root or administrator password and the ability to log in.

Most sites have some form of off-site backup storage. The backups will have the necessary information, which is rarely protected by anything other than the physical security of the backup media. Thus off-site backups are as protected or vulnerable as the honesty and procedures of the off-site storage company and its employees make them.

Backups kept on-site will be as secure as the physical storage of the media. A locked computer room loses much of its value if an employee can pocket a tape or other removable media from an unsecured area. Backup media should not be stored in immediate proximity of the machines they backup, lest an event that compromises the machines also compromises the backups. Backup media should be stored in a physically separate but secured area.

Anyone with physical access to the hardware can obtain the accounts and password hashes. UNIX systems can usually be booted to single user mode and normally Windows systems can be booted via a bootable CD or DVD as described above.

There are at least two classes of remote exploits that apply to both UNIX and Windows systems. These are buffer overflows that allow the execution of arbitrary code and application or service level errors; the specifics are system dependent.

Various services, usually running as root or system have had buffer overflow bugs on both UNIX and NT. Prior to 2001, there were more of these on UNIX systems than on NT. In 2001, several worms and viruses affected hundreds of thousands of windows systems, exposing them to remote administrative compromise. Wherever words like the "execution of arbitrary code" appear associated with buffer overflows, obtaining the password hash information, either directly or indirectly, is at least a theoretical possibility.

A good example of an application level bug is one that allowed a remote user to send commands to sendmail that caused sendmail to e-mail the /etc/passwd file to the remote user. Today the most frequent application level errors are with poorly configured web servers running buggy web applications. Most often these result is defaced web sites but depending on the specifics of the misconfiguration and the bug, just about anything is possible, including system or administrative level compromises and exporting password hash data. The password hashes may be those of web server itself, but often the web sites have much more valuable password files such as and recent compromises of other prominent web sites show. NT has had many more problems of this nature, but UNIX enough that UNIX administrators have no reason to feel smug or secure.

Having a backup tape or system recovery disk gives an attacker access to password data but not direct access to a system. A buffer overflow is likely to provide a means of entry, but not necessarily ongoing access. An intruder will normally want to obtain passwords to root or administrator accounts. This is likely to ensure that an intruder who is in a position to obtain the password hashes will have full access to the compromised system for some time.

Good, bad, weak, strong defined

A weak password is any password that can easily be guessed or cracked. A strong password is difficult to crack or guess. These are relative and unless the password was created in a defective manner, the strength of a password can be calculated mathematically. A password can be so weak it can be cracked in a fraction of a second or so strong that billions of millennia of CPU time should be required. Most of what follows examines the deficiencies that make a superficially strong password, weak. All relate to how humans think and select or create passwords.

A bad password is one that is too weak for the resources it's supposed to defend or that is too difficult for users to use and remember. A good password is a strong password that's reasonably easy to remember. Identifying specific characteristics that make a good password is more difficult than those that make a bad password. Since there is a significant degree of mutual exclusivity between these goals, part of defining good passwords is figuring out what if anything can make a password both easy to remember and hard to guess or crack. Some of the characteristics that make a password easy or hard to remember will be discussed.

Password relativity

How good or bad a password is, depends to a significant degree on what it's protecting and who is using it. People have varying memory capabilities so what may be easy for one person may be difficult for another.

More important is the variability of the value of the resource a password protects. On any computer system, the administrative or root password is of much greater value than that of an unprivileged user account. Different computers and systems have greatly varying values. Computers that manage financial information such as at banks and brokerage houses and very sensitive information such as patient records at hospitals are more valuable and require a greater degree of protection than for example, the mailing lists of a mass marketer or the sales records of a local retail store. Most users are likely to consider their Amazon or other online retail account that includes credit card numbers more important and sensitive than the password to a Gmail or other disposable web based e-mail account. The password to a site such as a social media site, that the user has spent much time customizing may be somewhere in between in sensitivity. If someone has used Gmail or a similar service for several years as their primary email account, and has a large quantity of saved emails, that account will become much more valuable and sensitive than an email account which is only used occasionally.

The importance of a password may depend on one's perspective. You may place a different level of importance on passwords you use at work than your employer would place on those same passwords. You would likely reevaluate the importance of such a password if you were fired because you used an easy to crack password, that led to a costly security breach. It would not matter that the password may have met the letter of any password policies in effect or enforced by a work computer. Some people advocate password safes as a means to manage the many good passwords most of us need in the second decade of the 21st century. I'm not sure how you could use a password safe at work; of course you could use one after you've logged into your work computer to manage website passwords, but how can it help you get onto your work computer?. The following pages are intended to help create good passwords as opposed to abysmal passwords like Number1, which has mixed case and a digit, but would be cracked by any capable hacker in seconds on almost any computer hardware, on any OS, with almost any cracking tools. Not all pages are equally relevant; some pages or sections are more for administrators or policy makers, and some get fairly technical.

Cracking defined

Cracking means running a program that guesses large numbers of passwords against a file containing account names and password hashes. The file is a UNIX passwd or a shadow password file or extracted from the SAM or directory on Windows. The program repeats the encryption algorithm that was used to encrypt the user's plain text password. It uses a dictionary or other list of plain text passwords such as list of common passwords and encrypts these. If the result matches the hash stored in the password file, then the password has been cracked. The cracking program normally also makes various permutations of the dictionary list such as appending or prepending digits or other characters, substituting similar looking characters, rotating or shifting the word in different ways and doing these changes in various combinations. The cracking program may also extract the user's account, name or title from the password file and make combinations and permutations of this data to guess passwords. Cracking programs normally have a brute force method that generates potential passwords; characters are combined randomly to make possible passwords. Frequently used characters may be used before infrequent or unusual characters to increase the likelihood of finding passwords quickly.

Guessing defined

Guessing is an interactive or automated attempt to log into a computer, website, email account or other password protected resource via one of many remote access methods such as HTML, POP3, telnet, ssh, or other protocol. Users tend to pick easy to remember passwords which will often be as short as the system permits. Easy to remember often means things that relate to the user in some fashion as listed later. Also there are some very common passwords such as pass, password, Password1, admin, letmein, and the company's name or acronym.

Guessing is likely to be more successful if the attacker knows something about the users whose accounts they are trying to get into. Some of the information commonly used to create poor passwords is in public records such as phone books. In the past a company web site may have had an employee list with some of this information; these are now very rare. That which isn't listed somewhere publicly accessible, can often be gathered with a social engineering attack. The classic example was a "survey" passed out in a company's lobby that yielded a number of user accounts and passwords.

More than a hundred pieces of information useful in forming passwords can be personally related to a single individual. A number of these can be broken into pieces and or formatted multiple ways. Combinations of pieces may result in thousands of combinations per person. One author1 has identified over three hundred thousand permutations per two word combination and these are not exhaustive.

Interactive guessing is likely to be limited to a few dozen attempts. Only the most obvious personal information with a few simple variations is likely to be tried. It's very likely these attempts will be logged. If there is any attempt to automate the guessing, the likelihood of the attempts being noticed in log files increases significantly. Many systems lock or freeze an account for 15 minutes to an hour, after 3 to 5 invalid attempts within a few minutes, to prevent automated guessing. Still, guessing should not be discounted because it remains a method by which improper access to systems is gained, due to the abysmal passwords some users and even administrators select.

Guessing has one advantage over cracking. Guessing merely requires physical access or an open network path to a machine running a suitable service or application. It does not require any other access to the target machine. Cracking assumes some level of access to the target machine, since the account names and password hashes must be in the cracker's possession before cracking methods can be applied.

Generally, if passwords that are difficult to crack are selected, they will also be difficult or impossible to guess. Thus, the remainder of this discussion will focus on cracking.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
Good Passwords >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.