LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

busybox: insecure password generation

busybox: insecure password generation

Posted May 11, 2006 22:32 UTC (Thu) by landley (guest, #6789)
Parent article: busybox: insecure password generation

This is not a "new vulnerability". Salting passwords is something busybox
never did (in its entire history) until now. Probably because the whole
point of the /etc/shadow file is to be readable only by root, so attackers
have to crack root in order to grab a copy of the file in the first place.

Salt's been added to svn and will be in the 1.1.3 release, but it's
questionable how worked up about it to get. If somebody's grabbed a copy
of your shadow file, salt just slows them down. (And not that much; a
modern laptop can grind through a 6 character md5 password, randomly
distributed among 100 or so typable chacters, in about a day.)

(Log in to post comments)

busybox: insecure password generation

Posted May 3, 2007 7:02 UTC (Thu) by nix (subscriber, #2304) [Link]

I suppose it's useful if you're using something like NIS where your entire
password file is visible to the world.

(Mind you if you're using NIS you probably don't care much about security
anyway, or you're hiding screaming in the corner hoping nothing bites
you...)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds