Hello
On 2023-01-17 09:51, DdB wrote:
Am 17.01.2023 um 07:14 schrieb Stanislav Vlasov:
вт, 17 янв. 2023 г. в 11:01, David <david.g_jo...@ntlworld.com>:
Looking on the internet it says the passwords are stored in
/etc/passwd
and /etc/shadow
In /etc/shadow only password's hashes, some data, one-way calculated
from password string.
The password string in /etc/shadow looks as if it's encoded, how can
I
read this string?
You can't.
Everyone (and their friend) seem to know, how to work around this,
which
apparently is common debian knowledge (which is nice).
But somehow, i feel there could be more caring about avoiding to teach
future hackers by accident. Is this kind of lesson appropriate for a
users list? - I doubt it.
just my 2 cents
DdB
It's not hacking. It's typical administration system stuff. A required
knowledge so you don't end up locked out of your own system in
non-encypted installation. It requires physical access to the computer,
so applicable from distance as you need to either
- remove then mount the hard drive on another machine.
- boot from a live USB.
- boot into GRUB's rescue-shell.
But if you're worried about physical access to your computer (as a
laptop than can be easily stolen, or left in hotel room, or whatever),
an account password isn't going to protect your data or from someone
alter your password /install fishy stuff…
In such case, you need to protect your system by encrypt it. And not
just encrypt /home as the files you need to protect in order to protect
the system from password tampering are NOT in /home. Debian installer
has an option to encrypt the system quite easily, you just need time for
the initial installation is it spends an good amount of writing random
data (mère or less acceptable duration depending on your disk speed and
CPU performance). And re-ecrypt it when needed/when algorithmes get
broken and new better ones become the new recommended standard/if your
decryption passphrase is known by someone else/whatever.
But it only makes sense of your decryption key has a long complex
passphase. An easily brute-forceable or guessable password for disk
encryption defeats the very own purpose of disk encryption. It basically
means if you forget the passphrase, you're pretty much screwed until you
either remembrer it, or reinstall and reconfigure everything. so you
need to have backup [1] in secure place.
---
1. But again, backups are required anyway, encrypted installs or not.
Storage support do fail and/or get stolen. Never trust a single storage
device. Or a "cloud" backup bullshit. Cloud being nothing else than
someone's else computer who can do whatever they want on it, kick users
whenever they please or abuse personal data for profit if they want to
(whether they do it in a "legal" or semi-legal way or not doesn't
matter. As they have the technical means to do so and users have no
means to check what's going on [2]. Including when data is "encrypted"
IF encryption and decryption happens on their systems).
2. It's already hard enough to know what's going on on one's own
computer, let alone distant systems managed by someone else…
