In the early days of UNIX and Linux systems, passwords were stored using the DES encryption algorithm, often without the use of a salt. Usernames and passwords were kept in the /etc/passwd file, which was readable by all users. This practice posed a security risk as the passwords were relatively easy to access and crack.
Improvements in Password Storage
Transition to MD5 and Beyond
As security concerns grew, UNIX and Linux systems moved towards stronger hashing algorithms and better storage practices. Passwords began to be hashed using MD5, and later algorithms such as Blowfish, SHA-256, and SHA-512. Along with the stronger algorithms, the use of salt became standard practice. Initially, salts were 4 bytes long, but later expanded to 8 bytes.
To improve security further, password hashes were moved to the /etc/shadow file, which has restrictive permissions and is only readable by the root user. Meanwhile, the /etc/passwd file remained world-readable but did not contain sensitive hash data.
Password Hashing in /etc/shadow
In modern UNIX and Linux systems, the /etc/shadow file contains password hashes in a format that includes the hash type, the salt, and the hashed password, separated by dollar signs ($). The structure is as follows:
username:$id$salt$hashed_password
$1$ indicates MD5 hashing.
$2$ indicates Blowfish hashing.
$5$ indicates SHA-256 hashing.
$6$ indicates SHA-512 hashing.
For example:
sec504:$6$1ArFQuUx$qhCcp4hKJvWxf47bm30iFs3CldfvKy/z28wN24GuOwBfcgOF8j2iYgl15eFPyMQ0HzE.PyXrIqE3FpnF4vdPq.
This entry shows a SHA-512 hash ($6$), with an 8-byte salt (1ArFQuUx) and the resulting hashed password.
Enhancing Password Security
Multiple Rounds of Hashing
To thwart password-cracking attempts, modern hashing algorithms often use multiple rounds of hashing. For instance:
MD5 crypt ($1$) uses 1,000 rounds.
SHA-256 ($5$) and SHA-512 ($6$) use 5,000 rounds by default.
Multiple rounds slow down the hashing process, making it computationally expensive for attackers to crack passwords using brute force or dictionary attacks.
GPU-based Attacks
Attackers have adapted by utilizing GPUs to speed up the password-cracking process. GPUs can perform many parallel computations, significantly increasing the number of hashes that can be computed per second. For example, an NVIDIA GeForce RTX 2070 can compute around 768,500 SHA-512 hashes per second.
Mitigating Advanced Cracking Techniques
To counter GPU-based attacks, more sophisticated hashing algorithms have been developed:
PBKDF2 (Password-Based Key Derivation Function 2): Uses a flexible number of hashing rounds, typically in the thousands or millions.
Bcrypt: Incorporates a memory-intensive hashing process, which is difficult for GPUs to optimize.
Scrypt: Requires even more memory, making it particularly resistant to GPU-based attacks.
Argon2: The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU attacks.
Conclusion
As attackers become more sophisticated, so too must the mechanisms for securing passwords. Modern UNIX and Linux systems use advanced hashing techniques to ensure that password storage remains as secure as possible.
Akash Patel
Commenti