|
The process of shadowing passwords is used to increase the security level of passwords on Unix systems.
On a typical system, /etc/passwd holds the following user information:
- username
- encrypted password
- password expiration infromation
- user ID (UID)
- default group ID (GID) for
- full name
- home directory path
- login shell
The file is world-readable (meaning that all users can read it), but only writeable by root. This means that an attacker can obtain a user's password hash and find out his or her password by performing a brute force attack.
Shadowing passwords stores users' encrypted passwords in a different file, usually /etc/shadow on Linux systems, or /etc/master.passwd on BSD systems, which can be read only by root. This makes stealing passwords more difficult, as root access is required to find them (and a user with root permissions can find any data by other means, as he or she can examine the entire system).
See also
|
