<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 09:15:50 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.

 

CERT® Coordination Center

Protecting Yourself from Password File Attacks


Introduction

  1. Protect your password file
  2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders
  3. Ensure that you are up-to-date with security patches and workarounds
  4. Watch for unusual activity

We have seen incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability.

These incidents point to the need for system administrators to adequately defend their systems from this type of attack. We urge you to do the following.

  1. Protect your password file so that an intruder cannot obtain a copy of it.
  2. Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology in which passwords are not located in the password file.
  3. Ensure that you are up-to-date with security patches and workarounds.
  4. Watch for unusual activity.
More specifically, here are steps you can take to minimize the possibility that your password file (with passwords in it) can fall into the hands of an intruder.

  1. Protect your password file
  2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders.

    You may wish to verify that good passwords are being selected at your site (in accordance with your organization's policies and procedures). Crack is a tool you can use to do this. It is a freely available program designed to identify standard UNIX DES encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the Crack documentation.

    Crack is available by anonymous FTP from

    ftp://info.cert.org/pub/tools/crack
  3. Ensure that you are up-to-date with patches and workarounds on your machines.

    Keeping up-to-date can help minimize the likelihood that you will be root compromised if user accounts are compromised. For information about the latest patches and workarounds, contact your vendor. You can also find information in

    ftp://info.cert.org/pub/latest_sw_versions
  4. Watch for unusual activity.

    Use all of the logging facilities available, including wtmp, syslog, and process accounting. Use tcp wrappers and log all connection attempts for all services made available via inetd. Examine these logs looking for suspicious activity. One tool that is available to analyze syslog files is SWATCH. It is available at

    ftp://ftp.stanford.edu/general/security-tools/swatch


This document is available from: http://www.cert.org/tech_tips/passwd_file_protection.html