A password is typically stored, not in clear text, in a database and and verification is applied by means of a one-way function, sometimes in combination with other data. If the one-way function does not incorporate a secret key, as does Kerberos or RSA, it's referred to as a "hash." This is the case of the legacy /etc/password file.

Possession of a password hash greatly facilitates "cracking" it since the cracking program can work on it off-line and evade what a system might have in effect (i.e.: limit on the number of login attempts) to prevent unauthorized access.

Obtaining passwords

The ways of obtaining passwords illicitly include:

Attack methods

Methods of attack include:

Shadow passwords

Shadowing passwords means to increase its security level by hiding even its encrypted form from ordinary users. The best example of this is solving the problem of /etc/passwd, which is readable by all users including the hashed password for any given user, a knowledge of which can greatly reduce the time it takes to mount a successful attack.

On Linux systems, /etc/shadow stores the real hash for users and is not viewable by them. Password fields in /etc/passwd are then filled with x. Root access is required to see these hashes.


Much of the contents of this document were plagierized from