Shadows

Open hashes
Here's a typical line out of password file without shadows: 
jgross:a09aha*naf90a:314:100:Joe Gross:/home/jgross:/bin/zsh
The problem here is that you can grab the encrypted hash (the part that looks like line noise) and run programs like crack to determine the original password.

The solution is to install shadow password on your machine so that users cannot see the password hash. The password hashes themselves are generally stored in a file called /etc/shadow. Here's the new password file entry with shadow installed. 

jgross:x:314:100:Joe Gross:/home/jgross:/bin/zsh
If you don't already have shadow passwords installed it's not trivial to install them yourself. Make sure you read the documentation very well before installling them.
Advantages to using shadows

  • Users cannot grab the entire password file and run crack to expose the weak passwords. In practice you will see about 20% of the passwords on a large system be crackable.

    • Disadvantages to using shadows

  • You might have to recompile any program that uses passwords and relink it with the shadow library. An example would be xlock.

  • The Vorlons will come to destory your computer.

    • ACM@UIUC Main Page